VulnerableCode Package Details - pkg:npm/lodash.unset@4.18.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/lodash.unset@4.18.0

Essentials
History (2)

purl	pkg:npm/lodash.unset@4.18.0

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-hjed-8rnm-kkbk	lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` ### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. ### Patches This issue is patched in 4.18.0. ### Workarounds None. Upgrade to the patched version.	CVE-2026-2950 GHSA-f23m-r3pf-42rh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:01:39.061573+00:00	GHSA Importer	Fixing	VCID-hjed-8rnm-kkbk	https://github.com/advisories/GHSA-f23m-r3pf-42rh	38.1.0
2026-04-02T12:52:51.882842+00:00	GithubOSV Importer	Fixing	VCID-hjed-8rnm-kkbk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f23m-r3pf-42rh/GHSA-f23m-r3pf-42rh.json	38.0.0