Primary

Context

Lodash Prototype Pollution Vulnerability in _.unset and _.omit Functions

Vulnerability

Patched

A prototype pollution vulnerability has been identified in Lodash versions 4.0.0 prior to 4.17.22. The issue arises in the _.unset and _.omit functions, where an attacker can exploit crafted paths to delete methods from global prototypes. While this vulnerability allows for the deletion of properties, it does not enable overwriting their original behavior.

Impact

Exploitation of this vulnerability allows for prototype pollution, where global prototype methods can be deleted, potentially leading to unexpected behavior in the application.

Remediation

Users can upgrade to Lodash version 4.17.23 or later to address this vulnerability. The same applies to Lodash-amd, Lodash-es, and lodash.unset packages.

Added: Jan 21, 2026, 8:26 PM

Updated: Jan 21, 2026, 8:26 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

6.0

remediation

7.7

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

6.0

remediation

7.7

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lodash Prototype Pollution Vulnerability in _.unset and _.omit Functions

Vulnerability

Impact

Remediation

Affected Products

Lodash

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating