DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2950: CVE-2026-2950: Prototype Pollution Bypass in Lodash via Array-Wrapped Path Segments

#security #cve #cybersecurity

CVE-2026-2950: Prototype Pollution Bypass in Lodash via Array-Wrapped Path Segments

Vulnerability ID: CVE-2026-2950
CVSS Score: 6.5
Published: 2026-04-01

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution via a bypass of the previous fix for CVE-2025-13465. By supplying array-wrapped path segments to functions like _.unset and _.omit, attackers can evade type-checking logic and delete properties from built-in prototypes.

TL;DR

A prototype pollution bypass in Lodash <= 4.17.23 allows attackers to delete arbitrary properties from global prototypes using array-wrapped path segments in _.unset and _.omit. The vulnerability is fixed in version 4.18.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • CVSS Score: 6.5
  • EPSS Score: 0.00042
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • Node.js Applications
  • JavaScript Frontend Applications
  • Serverless Functions utilizing vulnerable lodash packages
  • lodash: <= 4.17.23 (Fixed in: 4.18.0)
  • lodash-es: <= 4.17.23 (Fixed in: 4.18.0)
  • lodash-amd: <= 4.17.23 (Fixed in: 4.18.0)
  • lodash.unset: <= 4.17.23 (Fixed in: 4.18.0)

Code Analysis

Commit: fe8d32e

Fix prototype pollution bypass by normalizing keys with toKey() and unconditionally blocking constructor/prototype as non-terminal segments.

Exploit Details

  • GitHub Advisory: Proof of concept code demonstrating the array-wrapped path segment bypass.

Mitigation Strategies

  • Upgrade lodash dependency to version 4.18.0 or later.
  • Implement input validation to restrict dynamic keys passed to lodash path functions.
  • Utilize package manager resolutions to force transitive lodash dependencies to patched versions.

Remediation Steps:

  1. Identify vulnerable versions using npm ls lodash.
  2. Update package.json to require lodash version 4.18.0.
  3. Run npm install or yarn install to update the lockfile.
  4. Deploy the updated application build to production.
  5. Monitor application logs for rejected payload attempts if temporary WAF/validation rules were implemented.

References

Read the full report for CVE-2026-2950 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)