Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| lodash | lodash | unaffected |
|
|||||||||
| lodash | lodash-es | unaffected |
|
|||||||||
| lodash | lodash-amd | unaffected |
|
|||||||||
| lodash | lodash.unset | unaffected |
|
Configuration 1 [-]
|
No data.
| Vendor | Product | Confidence | Versions | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Lodash | Lodash | 100% |
|
||||||||||||
| Lodash | Lodash.unset | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-f23m-r3pf-42rh | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` |
Thu, 16 Apr 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-915 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Tue, 07 Apr 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lodash lodash-amd
Lodash lodash-es |
|
| CPEs | cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:* cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:* cpe:2.3:a:lodash:lodash.unset:*:*:*:*:*:node.js:*:* cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* |
|
| Vendors & Products |
Lodash lodash-amd
Lodash lodash-es |
Fri, 03 Apr 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lodash
Lodash lodash Lodash lodash.unset |
|
| Vendors & Products |
Lodash
Lodash lodash Lodash lodash.unset |
Wed, 01 Apr 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Apr 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version. | |
| Title | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` | |
| Weaknesses | CWE-1321 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: openjs
Published:
Updated: 2026-04-01T13:43:21.491Z
Reserved: 2026-02-21T20:04:35.087Z
Link: CVE-2026-2950
Vulnrichment
Updated: 2026-04-01T13:43:18.193Z
NVD
Status : Analyzed
Published: 2026-03-31T20:16:26.207
Modified: 2026-04-07T16:12:25.970
Link: CVE-2026-2950
Redhat
OpenCVE Enrichment
Updated: 2026-04-16T09:30:06Z