Primary

Context

Lodash Prototype Pollution Vulnerability in _.unset and _.omit Functions

Vulnerability

Patched

A prototype pollution vulnerability has been identified in Lodash versions 4.0.0 prior to 4.17.23, specifically within the _.unset and _.omit functions. This vulnerability allows an attacker to manipulate paths in a way that causes Lodash to delete properties from global prototypes, such as Object.prototype, Number.prototype, and String.prototype. While the vulnerability enables the removal of prototype properties, it does not allow for overwriting their original functionality.

Impact

Exploitation of this vulnerability allows for the deletion of properties from built-in prototypes, potentially leading to unexpected behavior in the application by removing essential methods from these prototypes.

Remediation

Users are advised to upgrade to Lodash version 4.17.23 or later. Instructions for upgrading can be found in the Lodash GitHub repository.

Added: Mar 31, 2026, 9:08 PM

Updated: Mar 31, 2026, 9:08 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lodash Prototype Pollution Vulnerability in _.unset and _.omit Functions

Vulnerability

Impact

Remediation

Affected Products

Lodash

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating