lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

GHSA-f23m-r3pf-42rh · CVE-2026-2950

Published Apr 1, 2026 · Modified Apr 2, 2026

Description

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

References

WEB https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
WEB https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-2950
PACKAGE https://github.com/lodash/lodash

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes