CVE-2026-2950: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Published Mar 31, 2026
·
Updated

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

Other sources

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for (CVE-2025-13465:

IBM

Affected Software

12 affected componentsFixes available
npm/lodash<=4.17.23
npm/lodash.unset>=4.0.0<4.18.0
4.18.0
npm/lodash-amd<=4.17.23
4.18.0
npm/lodash-es<=4.17.23
4.18.0
npm/lodash<=4.17.23
4.18.0
Lodash Lodash Node.js>=4.0.0<4.17.23
Lodash Lodash-amd Node.js>=4.0.0<4.17.23
Lodash Lodash-es Node.js>=4.0.0<4.17.23
Lodash Lodash.unset Node.js>=4.0.0
IBM MQ Operator<=SC2: v3.2.0 - v3.2.23 CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1 LTS: v2.0.0 - 2.0.29
IBM supplied MQ Advanced container images<=SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2
debian/node-lodash<=4.17.21+dfsg+~cs8.31.173-1, <=4.17.21+dfsg+~cs8.31.198.20210220-9
4.18.1+dfsg-3

Event History

Mar 31, 2026
CVE Published
via MITRE·07:18 PM
Data Sourced
via MITRE·07:18 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:16 PM
DescriptionSeverityWeaknessAffected Software
Apr 1, 2026
Advisory Published
via GitHub·11:50 PM
Data Sourced
via GitHub·11:50 PM
DescriptionSeverityWeaknessAffected Software
May 15, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Jun 9, 2026
Data Sourced
via Debian·06:09 PM
DescriptionAffected Software
Data Sourced
via Launchpad·06:09 PM
Description
Jun 10, 2026
Data Sourced
via Ubuntu·06:08 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-2950?

CVE-2026-2950 is classified as a high-severity vulnerability due to its potential for prototype pollution.

2

How do I fix CVE-2026-2950?

To fix CVE-2026-2950, upgrade lodash to version 4.17.24 or later.

3

Which versions of lodash are affected by CVE-2026-2950?

Lodash versions 4.17.23 and earlier are affected by CVE-2026-2950.

4

What functions in lodash are vulnerable in CVE-2026-2950?

The vulnerable functions in lodash affected by CVE-2026-2950 are _.unset and _.omit.

5

What is prototype pollution in the context of CVE-2026-2950?

In the context of CVE-2026-2950, prototype pollution refers to the ability of an attacker to manipulate an object's prototype, potentially leading to application compromise.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203