Jonchurch

**Name of the Vulnerable Software and Affected Versions** Lodash versions prior to 4.18.0 **Description** Lodash versions 4.17.23 and earlier are susceptible to prototype pollution through the ` .unset` and ` .omit` functions. The initial fix did not fully address the issue, as an attacker can bypass the check by using array-wrapped path segments. This allows for the deletion of properties from built-in prototypes like Object.prototype, Number.prototype, and String.prototype. The issue allows deletion of prototype properties but does not permit overwriting their original behavior. **Recommendations** Upgrade to version 4.18.0 or later.

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.18.0 **Description** The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the `options.imports` object used by the ` .template` function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the `option` variable is not extended to the `options.imports` key names. Furthermore, the use of `assignInWith` can introduce vulnerabilities if `Object.prototype` has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code. **Recommendations** Upgrade to version 4.18.0. Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.