VIR Vulnerability Intelligence Relay

CVE-2026-2950

unknown
Published 2026-04-01 · Modified 2026-04-02
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS v2
VIR risk

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-2950

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyfixed4.18.1+dfsg-1
debian debiansidfixed4.18.1+dfsg-1
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
npm npmlodash<4.18.04.18.0
npm npmlodash-es<4.18.04.18.0
npm npmlodash-amd<4.18.04.18.0
npm npmlodash.unset>=4.0.0,<4.18.04.18.0

References

Verify integrity in audit chain (admin only). AS-IS.