Search for packages
| purl | pkg:npm/lodash-es@4.17.23 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-an5j-y3cq-gbfx
Aliases: CVE-2026-4800 GHSA-r5fr-rjxr-66jc |
lodash vulnerable to Code Injection via `_.template` imports key names ### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink. When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`. ### Patches Users should upgrade to version 4.18.0. The fix applies two changes: 1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option) 2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated ### Workarounds Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names. |
Affected by 0 other vulnerabilities. |
|
VCID-hjed-8rnm-kkbk
Aliases: CVE-2026-2950 GHSA-f23m-r3pf-42rh |
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-jsc5-qvjm-6kek | Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. |
CVE-2025-13465
GHSA-xxjr-mmjv-4gpg |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T17:01:39.219526+00:00 | GHSA Importer | Affected by | VCID-an5j-y3cq-gbfx | https://github.com/advisories/GHSA-r5fr-rjxr-66jc | 38.1.0 |
| 2026-04-02T17:01:39.085387+00:00 | GHSA Importer | Affected by | VCID-hjed-8rnm-kkbk | https://github.com/advisories/GHSA-f23m-r3pf-42rh | 38.1.0 |
| 2026-04-01T16:07:48.804094+00:00 | GHSA Importer | Fixing | VCID-jsc5-qvjm-6kek | https://github.com/advisories/GHSA-xxjr-mmjv-4gpg | 38.0.0 |
| 2026-04-01T12:53:42.115980+00:00 | GitLab Importer | Fixing | VCID-jsc5-qvjm-6kek | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/lodash-es/CVE-2025-13465.yml | 38.0.0 |
| 2026-04-01T12:52:17.638537+00:00 | GithubOSV Importer | Fixing | VCID-jsc5-qvjm-6kek | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-xxjr-mmjv-4gpg/GHSA-xxjr-mmjv-4gpg.json | 38.0.0 |