Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-3?distro=trixie
purl pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-3?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (10)
Vulnerability Summary Aliases
VCID-2bwn-573p-rqay Regular Expression Denial of Service (ReDoS) in lodash lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11. CVE-2019-1010266
GHSA-x5rq-j2xg-h7qm
VCID-44qf-p2rd-6qay Prototype Pollution in lodash Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances. CVE-2020-8203
GHSA-p6mc-m468-83gw
VCID-an5j-y3cq-gbfx lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names. CVE-2026-4800
GHSA-r5fr-rjxr-66jc
VCID-dzeb-zu9x-g3bq Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. CVE-2019-10744
GHSA-jf85-cpcp-j695
VCID-e3y9-r7uz-pkfg Regular Expression Denial of Service (ReDoS) in lodash All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash'); function build_blank(n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1); var time2 = Date.now(); lo.trimEnd(s); var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2); ``` CVE-2020-28500
GHSA-29mw-wpgm-hmr9
VCID-fhw1-4c1k-sfh3 Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function. CVE-2021-23337
GHSA-35jh-r3h4-6jhm
VCID-hjed-8rnm-kkbk lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version. CVE-2026-2950
GHSA-f23m-r3pf-42rh
VCID-jsc5-qvjm-6kek Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. CVE-2025-13465
GHSA-xxjr-mmjv-4gpg
VCID-s532-7mp1-kyeb Prototype Pollution in lodash Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. CVE-2018-16487
GHSA-4xc9-xhrj-v574
VCID-sxth-92xw-zbea Prototype Pollution in lodash Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. CVE-2018-3721
GHSA-fvqr-27wr-82fm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-20T17:18:20.146290+00:00 Debian Importer Fixing VCID-an5j-y3cq-gbfx https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:20.093491+00:00 Debian Importer Fixing VCID-hjed-8rnm-kkbk https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:20.045757+00:00 Debian Importer Fixing VCID-jsc5-qvjm-6kek https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.995795+00:00 Debian Importer Fixing VCID-fhw1-4c1k-sfh3 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.956991+00:00 Debian Importer Fixing VCID-44qf-p2rd-6qay https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.909432+00:00 Debian Importer Fixing VCID-e3y9-r7uz-pkfg https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.870580+00:00 Debian Importer Fixing VCID-dzeb-zu9x-g3bq https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.824018+00:00 Debian Importer Fixing VCID-2bwn-573p-rqay https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.780764+00:00 Debian Importer Fixing VCID-sxth-92xw-zbea https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-20T17:18:19.735776+00:00 Debian Importer Fixing VCID-s532-7mp1-kyeb https://security-tracker.debian.org/tracker/data/json 38.4.0