CVE-2026-2950
Received Received - Intake
Prototype Pollution in Lodash _.unset and _.omit Functions

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: openjs

Description
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2950
EUVD
EUVD-2026-17591
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
lodash lodash From 4.0.0 (inc) to 4.17.23 (exc)
lodash lodash-amd From 4.0.0 (inc) to 4.17.23 (exc)
lodash lodash-es From 4.0.0 (inc) to 4.17.23 (exc)
lodash lodash.unset From 4.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Lodash versions 4.17.23 and earlier have a prototype pollution vulnerability in the _.unset and _.omit functions.

The fix for a related vulnerability only guards against string key members, but attackers can bypass this by using array-wrapped path segments.

This allows attackers to delete properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

However, the vulnerability permits deletion of prototype properties but does not allow overwriting their original behavior.

Impact Analysis

An attacker exploiting this vulnerability can delete properties from built-in JavaScript prototypes.

This can lead to unexpected behavior or errors in applications relying on these prototypes.

The CVSS score of 6.5 indicates a medium severity with impact on integrity and availability.

There are no workarounds; upgrading to version 4.18.0 or later is required to fix the issue.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Lodash to version 4.18.0 or later, where the issue is patched.

There are no known workarounds other than upgrading to the patched version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart