CVE-2026-2950
Prototype pollution vulnerability in lodash (npm)
What is CVE-2026-2950 About?
This prototype pollution vulnerability in Lodash affects versions 4.17.23 and earlier, allowing attackers to delete properties from built-in prototypes. The fix for a previous CVE was incomplete, as an attacker can bypass checks by passing array-wrapped path segments to `_.unset` and `_.omit` functions. This leads to the deletion of prototype properties, making exploitation possible when untrusted input is processed in specific Lodash functions.
Affected Software
- lodash
- <4.18.0
- lodash-es
- <4.18.0
- lodash-amd
- <4.18.0
- lodash.unset
- >=4.0.0, <4.18.0
Technical Details
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution when using _.unset and _.omit. The previous fix (CVE-2025-13465) only prevented string key members from causing pollution, but the bypass allows an attacker to use array-wrapped path segments. These segments can be used to target and delete properties from Object.prototype, Number.prototype, and String.prototype. While the issue permits deletion, it does not allow overwriting original behavior. Additionally, _.template uses assignInWith for merging imports, which enumerates inherited properties, making it susceptible to accidental pollution if Object.prototype was already compromised.
What is the Impact of CVE-2026-2950?
Successful exploitation may allow attackers to delete properties from global prototypes (e.g., `Object.prototype`), potentially disrupting application logic or leading to further vulnerabilities in applications that rely on those properties.
What is the Exploitability of CVE-2026-2950?
Exploitation requires specific conditions where an application passes untrusted input directly into the _.unset or _.omit functions, or untrusted input as key names in options.imports for _.template. This typically occurs in a scenario where user-supplied data can influence object paths or property names. The attack vector is local to the application processing the untrusted input and does not inherently require authentication, but rather specific input sanitization failures. The complexity of crafting the array-wrapped path segments is moderate. The likelihood of exploitation is higher if the application uses _.template with untrusted inputs for options.imports or has other prototype pollution vectors that can leverage assignInWith for further impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-2950?
Available Upgrade Options
- lodash-amd
- <4.18.0 → Upgrade to 4.18.0
- lodash
- <4.18.0 → Upgrade to 4.18.0
- lodash.unset
- >=4.0.0, <4.18.0 → Upgrade to 4.18.0
- lodash-es
- <4.18.0 → Upgrade to 4.18.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/lodash/lodash
- https://nvd.nist.gov/vuln/detail/CVE-2026-2950
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
- https://osv.dev/vulnerability/GHSA-f23m-r3pf-42rh
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
- https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
What are Similar Vulnerabilities to CVE-2026-2950?
Similar Vulnerabilities: CVE-2021-23337 , CVE-2020-28500 , CVE-2019-10744 , CVE-2019-10740 , CVE-2019-10741
