Search for packages
| purl | pkg:npm/lodash.unset@4.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hjed-8rnm-kkbk
Aliases: CVE-2026-2950 GHSA-f23m-r3pf-42rh |
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version. |
Affected by 0 other vulnerabilities. |
|
VCID-jsc5-qvjm-6kek
Aliases: CVE-2025-13465 GHSA-xxjr-mmjv-4gpg |
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||