lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset
- Severity:
- Medium
Description
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
Recommendation
Update the lodash.unset package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 4.18.0
- Patched version(s): 4.18.0
References
Related Issues
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-es - CVE-2026-2950
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - lodash.unset - CVE-2025-13465
You might also like:
- Tags:
- npm
- lodash.unset
Anything's wrong? Let us know Last updated on April 01, 2026