CVE-2026-2950
Publication date 31 March 2026
Last updated 9 June 2026
Ubuntu priority
Description
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-lodash | 26.04 LTS resolute |
Fixed 4.17.23+dfsg-1ubuntu0.1~esm1
|
| 25.10 questing |
Fixed 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1
|
|
| 24.04 LTS noble |
Fixed 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
|
|
| 22.04 LTS jammy |
Fixed 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Fixed 4.17.15+dfsg-2ubuntu0.1~esm1
|
|
| 18.04 LTS bionic |
Fixed 4.17.4+dfsg-1ubuntu0.1~esm1
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version: CVSS v3.0
Base score
6.5 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
References
Related Ubuntu Security Notices (USN)
- USN-8411-1
- Lodash vulnerabilities
- 9 June 2026