Platform
nodejs
Component
lodash
Fixed in
4.18.0
4.18.0
4.18.0
4.18.0
4.18.0
CVE-2026-2950 describes a prototype pollution vulnerability discovered in Lodash, a widely used JavaScript utility library. This flaw allows attackers to delete properties from built-in JavaScript prototypes, potentially disrupting application behavior. The vulnerability affects versions 4.17.23 and earlier, and a fix is available in version 4.18.0.
The core of the vulnerability lies in the .unset and .omit functions within Lodash. While a previous fix (CVE-2025-13465) attempted to prevent prototype pollution, it only addressed string-based keys. CVE-2026-2950 exploits a bypass by using array-wrapped path segments, effectively circumventing the intended protection. Successful exploitation allows an attacker to delete properties from critical prototypes like Object.prototype, Number.prototype, and String.prototype. While the vulnerability doesn't allow for overwriting prototype behavior, deleting properties can lead to unexpected errors, application instability, and potentially denial-of-service conditions. The impact is particularly severe in applications heavily reliant on Lodash or those with complex prototype hierarchies.
CVE-2026-2950 was published on 2026-04-01. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the nature of prototype pollution vulnerabilities, it's reasonable to assume that security researchers are actively investigating this issue, and public exploits may emerge in the future. The bypass of the previous fix (CVE-2025-13465) highlights the importance of thorough testing and validation of security patches.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2950 is to upgrade to Lodash version 4.18.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by validating and sanitizing user-supplied input used in .unset and .omit calls. Specifically, ensure that path segments are not array-wrapped. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block malicious input patterns targeting prototype pollution may also offer some protection. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but generic rules targeting prototype pollution attempts could be adapted.
Update the lodash library to version 4.18.0 or higher. This version contains the fix for the prototype pollution vulnerability. Run `npm install lodash@latest` or `yarn add lodash@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2950 is a medium-severity prototype pollution vulnerability affecting Lodash versions 4.17.23 and earlier. It allows attackers to delete properties from JavaScript prototypes by bypassing previous fixes.
You are affected if you are using Lodash versions 4.17.23 or earlier. Check your project dependencies to determine if you are vulnerable.
Upgrade to Lodash version 4.18.0 or later to remediate the vulnerability. If upgrading is not possible, implement input validation on path segments used in .unset and .omit.
As of now, there are no confirmed reports of active exploitation, but security researchers are likely investigating the vulnerability.
Refer to the Lodash security advisories on GitHub: https://github.com/lodash/lodash/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.