Lodash vulnerabilities
Showing 1 - 4 of 4 CVEs
- CVE-2025-13465 Published Jan 21, 2026
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
- CVE-2021-23337 Published Feb 15, 2021
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
- CVE-2020-28500 Published Feb 15, 2021
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
- CVE-2020-8203 Published Jul 15, 2020
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
medium 6.9
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
high 7.2
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
medium 5.3
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
high 7.4