CVE-2026-2950 in Lodash情報

要約 (英語)

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

責任者

openjs

予約する

2026年02月21日

公開

2026年03月31日

エントリ

VulDB provides additional information and datapoints for this CVE:

識別子脆弱性CWE悪用可対策CVE
354491Lodash _.omit1321未定義公式な修正CVE-2026-2950

説明

CPE

CWE

CVSS

エクスプロイト

履歴

差分

リンクする

脅威インテリジェンス

API JSON

API XML

API CSV

概要

Might our Artificial Intelligence support you?

Check our Alexa App!