{"ecosystem":"npm","package":"lodash","version":null,"bugs":[{"id":343,"ecosystem":"npm","package_name":"lodash","affected_version":"4.0.0","fixed_version":"4.18.0","bug_id":"osv:GHSA-r5fr-rjxr-66jc","title":"lodash vulnerable to Code Injection via `_.template` imports key names","description":"### Impact\n\nThe fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink.\n\nWhen an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`.\n\n### Patches\n\nUsers should upgrade to version 4.18.0.\n\nThe fix applies two changes:\n1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option)\n2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated\n\n### Workarounds\n\nDo not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc","labels":["CVE-2026-4800"],"created_at":"2026-04-19T04:31:18.574001+00:00","updated_at":"2026-04-19T04:31:18.574001+00:00"},{"id":342,"ecosystem":"npm","package_name":"lodash","affected_version":"3.7.0","fixed_version":"4.17.19","bug_id":"osv:GHSA-p6mc-m468-83gw","title":"Prototype Pollution in lodash","description":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8203","labels":["CVE-2020-8203"],"created_at":"2026-04-19T04:31:18.573546+00:00","updated_at":"2026-04-19T04:31:18.573546+00:00"},{"id":338,"ecosystem":"npm","package_name":"lodash","affected_version":null,"fixed_version":"4.17.11","bug_id":"osv:GHSA-4xc9-xhrj-v574","title":"Prototype Pollution in lodash","description":"Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16487","labels":["CVE-2018-16487"],"created_at":"2026-04-19T04:31:18.571469+00:00","updated_at":"2026-04-19T04:31:18.571469+00:00"},{"id":337,"ecosystem":"npm","package_name":"lodash","affected_version":null,"fixed_version":"4.17.21","bug_id":"osv:GHSA-35jh-r3h4-6jhm","title":"Command Injection in lodash","description":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23337","labels":["CVE-2021-23337"],"created_at":"2026-04-19T04:31:18.570860+00:00","updated_at":"2026-04-19T04:31:18.570860+00:00"},{"id":5,"ecosystem":"npm","package_name":"lodash","affected_version":"<4.17.21","fixed_version":"4.17.21","bug_id":"github:#5065","title":"Command injection in template function","description":"CVE-2021-23337 — unsafe template evaluation. Upgrade to 4.17.21.","severity":"high","status":"closed","source":"github_issues","source_url":"https://github.com/lodash/lodash/issues/5065","labels":["security"],"created_at":"2026-04-19T02:03:59.602344+00:00","updated_at":"2026-04-19T02:03:59.602344+00:00"},{"id":345,"ecosystem":"npm","package_name":"lodash","affected_version":"4.0.0","fixed_version":"4.17.23","bug_id":"osv:GHSA-xxjr-mmjv-4gpg","title":"Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions","description":"### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.  \n\n### Patches\n\nThis issue is patched on 4.17.23.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg","labels":["CVE-2025-13465"],"created_at":"2026-04-19T04:31:18.575159+00:00","updated_at":"2026-04-19T04:31:18.575159+00:00"},{"id":344,"ecosystem":"npm","package_name":"lodash","affected_version":"4.7.0","fixed_version":"4.17.11","bug_id":"osv:GHSA-x5rq-j2xg-h7qm","title":"Regular Expression Denial of Service (ReDoS) in lodash","description":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010266","labels":["CVE-2019-1010266"],"created_at":"2026-04-19T04:31:18.574482+00:00","updated_at":"2026-04-19T04:31:18.574482+00:00"},{"id":340,"ecosystem":"npm","package_name":"lodash","affected_version":null,"fixed_version":"4.17.5","bug_id":"osv:GHSA-fvqr-27wr-82fm","title":"Prototype Pollution in lodash","description":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3721","labels":["CVE-2018-3721"],"created_at":"2026-04-19T04:31:18.572637+00:00","updated_at":"2026-04-19T04:31:18.572637+00:00"},{"id":339,"ecosystem":"npm","package_name":"lodash","affected_version":null,"fixed_version":"4.18.0","bug_id":"osv:GHSA-f23m-r3pf-42rh","title":"lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`","description":"### Impact\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\n### Patches\n\nThis issue is patched in 4.18.0.\n\n### Workarounds\n\nNone. Upgrade to the patched version.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh","labels":["CVE-2026-2950"],"created_at":"2026-04-19T04:31:18.572143+00:00","updated_at":"2026-04-19T04:31:18.572143+00:00"},{"id":336,"ecosystem":"npm","package_name":"lodash","affected_version":"4.0.0","fixed_version":"4.17.21","bug_id":"osv:GHSA-29mw-wpgm-hmr9","title":"Regular Expression Denial of Service (ReDoS) in lodash","description":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n    var ret = \"1\"\n    for (var i = 0; i < n; i++) {\n        ret += \" \"\n    }\n    return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28500","labels":["CVE-2020-28500"],"created_at":"2026-04-19T04:31:18.569195+00:00","updated_at":"2026-04-19T04:31:18.569195+00:00"},{"id":341,"ecosystem":"npm","package_name":"lodash","affected_version":null,"fixed_version":"4.17.12","bug_id":"osv:GHSA-jf85-cpcp-j695","title":"Prototype Pollution in lodash","description":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10744","labels":["CVE-2019-10744"],"created_at":"2026-04-19T04:31:18.573106+00:00","updated_at":"2026-04-19T04:31:18.573106+00:00"}],"total":11,"_cache":"miss"}