6.5
CVE-2026-2950
- EPSS 0.03%
- Veröffentlicht 31.03.2026 19:18:35
- Zuletzt bearbeitet 07.04.2026 16:12:25
- Quelle ce714d77-add3-4f53-aff5-83d477
- CVE-Watchlists
- Unerledigt
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lodash ≫ Lodash-amd SwPlatformnode.js Version >= 4.0.0 < 4.17.23
Lodash ≫ Lodash.Unset SwPlatformnode.js Version >= 4.0.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.07 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| ce714d77-add3-4f53-aff5-83d477b104bb | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
|
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.