PT-2026-29328 · Lodash+1 · Lodash+1

Backuardo

Publicado

2026-03-31

Atualizado

2026-06-09

CVE-2026-2950

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Lodash versions prior to 4.18.0

Description Lodash versions 4.17.23 and earlier are susceptible to prototype pollution through the .unset and .omit functions. The initial fix did not fully address the issue, as an attacker can bypass the check by using array-wrapped path segments. This allows for the deletion of properties from built-in prototypes like Object.prototype, Number.prototype, and String.prototype. The issue allows deletion of prototype properties but does not permit overwriting their original behavior.

Recommendations Upgrade to version 4.18.0 or later.

Correção

Prototype Pollution

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1321

Identificadores relacionados

CLEANSTART-2026-AD27625

CLEANSTART-2026-BE61221

CLEANSTART-2026-CE10526

CLEANSTART-2026-KS09647

CLEANSTART-2026-LC05413

CLEANSTART-2026-NB51079

CLEANSTART-2026-TW25027

CLEANSTART-2026-TZ34913

CVE-2026-2950

GHSA-F23M-R3PF-42RH

RHSA-2026:7378

RHSA-2026:7655

RHSA-2026:9455

USN-8411-1

Produtos afetados

Lodash

Ubuntu

PT-2026-29328 · Lodash+1 · Lodash+1

CVE-2026-2950

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 339