VulnerableCode Package Details - pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hjed-8rnm-kkbk	lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version.	CVE-2026-2950 GHSA-f23m-r3pf-42rh
VCID-jsc5-qvjm-6kek	Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23.	CVE-2025-13465 GHSA-xxjr-mmjv-4gpg

Vulnerability

Summary

Aliases

VCID-hjed-8rnm-kkbk

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version.

CVE-2026-2950
GHSA-f23m-r3pf-42rh

VCID-jsc5-qvjm-6kek

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23.

CVE-2025-13465
GHSA-xxjr-mmjv-4gpg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-24T11:08:27.465151+00:00	Debian Importer	Fixing	VCID-hjed-8rnm-kkbk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-24T10:00:49.489013+00:00	Debian Importer	Fixing	VCID-jsc5-qvjm-6kek	https://security-tracker.debian.org/tracker/data/json	38.4.0

2026-04-24T11:08:27.465151+00:00

Debian Importer

Fixing

VCID-hjed-8rnm-kkbk

https://security-tracker.debian.org/tracker/data/json

38.4.0

2026-04-24T10:00:49.489013+00:00

Debian Importer

Fixing

VCID-jsc5-qvjm-6kek

https://security-tracker.debian.org/tracker/data/json

38.4.0