Fluid Attacks Database

Description

lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	lodash-es	>=0 <4.18.0	4.18.0
npm	lodash-amd	>=0 <4.18.0	4.18.0
npm	lodash	>=0 <4.18.0	4.18.0
npm	lodash.unset	>=4.0.0 <4.18.0	4.18.0
debian 11	node-lodash	=4.17.21+dfsg+~cs8.31.173-1 \|\| =4.17.21+dfsg+~cs8.31.189.20210220-1 \|\| =4.17.21+dfsg+~cs8.31.189.20210220-2 \|\| =4.17.21+dfsg+~cs8.31.189.20210220-2~bpo11+1 \|\| =4.17.21+dfsg+~cs8.31.189.20210220-3 \|\| =4.17.21+dfsg+~cs8.31.196.20210220-1 \|\| =4.17.21+dfsg+~cs8.31.196.20210220-2 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-1 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-10 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-2 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-3 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-4 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-5 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-6 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-7 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-8 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+1 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+2 \|\| =4.17.23+dfsg-1 \|\| =4.18.1+dfsg-1 \|\| =4.18.1+dfsg-2 \|\| =4.18.1+dfsg-3	-
debian 13	node-lodash	=4.17.21+dfsg+~cs8.31.198.20210220-10 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9 \|\| =4.17.23+dfsg-1 \|\| =4.18.1+dfsg-1 \|\| =4.18.1+dfsg-2 \|\| =4.18.1+dfsg-3	-
debian 14	node-lodash	=4.17.21+dfsg+~cs8.31.198.20210220-10 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9 \|\| =4.17.23+dfsg-1 \|\| >=0 <4.18.1+dfsg-1	4.18.1+dfsg-1
debian 12	node-lodash	=4.17.21+dfsg+~cs8.31.198.20210220-10 \|\| =4.17.21+dfsg+~cs8.31.198.20210220-9 \|\| =4.17.23+dfsg-1 \|\| =4.18.1+dfsg-1 \|\| =4.18.1+dfsg-2 \|\| =4.18.1+dfsg-3	-
rpm rhel10	grafana	-	-
rpm rhel9	linux-sgx	-	-

1-10 of 51

Aliases

1. CVE-2026-29502. NVD-2026-29503. OSV-2026-29504. OSV-DEBIAN-2026-29505. GHSA-f23m-r3pf-42rh6. GHSA-xxjr-mmjv-4gpg7. GCVE-2026-29508. SECURITY-TRACKER-CVE-2026-2950

References

1. https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh2. https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg