Skip to content

Commit 5d5860e

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-f23m-r3pf-42rh GHSA-r5fr-rjxr-66jc
1 parent 1aed28a commit 5d5860e

File tree

2 files changed

+270
-0
lines changed

2 files changed

+270
-0
lines changed

advisories/github-reviewed/2026/04/GHSA-f23m-r3pf-42rh/GHSA-f23m-r3pf-42rh.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f23m-r3pf-42rh",
4+
"modified": "2026-04-01T23:50:27Z",
5+
"published": "2026-04-01T23:50:27Z",
6+
"aliases": [
7+
"CVE-2026-2950"
8+
],
9+
"summary": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
10+
"details": "### Impact\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\n### Patches\n\nThis issue is patched in 4.18.0.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "lodash"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.18.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.17.23"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "npm",
43+
"name": "lodash-es"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "4.18.0"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 4.17.23"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "npm",
65+
"name": "lodash-amd"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "0"
73+
},
74+
{
75+
"fixed": "4.18.0"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 4.17.23"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "npm",
87+
"name": "lodash.unset"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "4.0.0"
95+
},
96+
{
97+
"fixed": "4.18.0"
98+
}
99+
]
100+
}
101+
]
102+
}
103+
],
104+
"references": [
105+
{
106+
"type": "WEB",
107+
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh"
108+
},
109+
{
110+
"type": "WEB",
111+
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
112+
},
113+
{
114+
"type": "ADVISORY",
115+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
116+
},
117+
{
118+
"type": "PACKAGE",
119+
"url": "https://github.com/lodash/lodash"
120+
}
121+
],
122+
"database_specific": {
123+
"cwe_ids": [
124+
"CWE-1321"
125+
],
126+
"severity": "MODERATE",
127+
"github_reviewed": true,
128+
"github_reviewed_at": "2026-04-01T23:50:27Z",
129+
"nvd_published_at": "2026-03-31T20:16:26Z"
130+
}
131+
}

advisories/github-reviewed/2026/04/GHSA-r5fr-rjxr-66jc/GHSA-r5fr-rjxr-66jc.json

Lines changed: 139 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,139 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-r5fr-rjxr-66jc",
4+
"modified": "2026-04-01T23:51:12Z",
5+
"published": "2026-04-01T23:51:12Z",
6+
"aliases": [
7+
"CVE-2026-4800"
8+
],
9+
"summary": "lodash vulnerable to Code Injection via `_.template` imports key names",
10+
"details": "### Impact\n\nThe fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink.\n\nWhen an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`.\n\n### Patches\n\nUsers should upgrade to version 4.18.0.\n\nThe fix applies two changes:\n1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option)\n2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated\n\n### Workarounds\n\nDo not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "lodash"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.0.0"
29+
},
30+
{
31+
"fixed": "4.18.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.17.23"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "npm",
43+
"name": "lodash-es"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "4.0.0"
51+
},
52+
{
53+
"fixed": "4.18.0"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 4.17.23"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "npm",
65+
"name": "lodash-amd"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "4.0.0"
73+
},
74+
{
75+
"fixed": "4.18.0"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 4.17.23"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "npm",
87+
"name": "lodash.template"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "4.0.0"
95+
},
96+
{
97+
"fixed": "4.18.0"
98+
}
99+
]
100+
}
101+
]
102+
}
103+
],
104+
"references": [
105+
{
106+
"type": "WEB",
107+
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc"
108+
},
109+
{
110+
"type": "ADVISORY",
111+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
112+
},
113+
{
114+
"type": "WEB",
115+
"url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"
116+
},
117+
{
118+
"type": "WEB",
119+
"url": "https://cna.openjsf.org/security-advisories.html"
120+
},
121+
{
122+
"type": "ADVISORY",
123+
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
124+
},
125+
{
126+
"type": "PACKAGE",
127+
"url": "https://github.com/lodash/lodash"
128+
}
129+
],
130+
"database_specific": {
131+
"cwe_ids": [
132+
"CWE-94"
133+
],
134+
"severity": "HIGH",
135+
"github_reviewed": true,
136+
"github_reviewed_at": "2026-04-01T23:51:12Z",
137+
"nvd_published_at": "2026-03-31T20:16:29Z"
138+
}
139+
}

0 commit comments

Comments
 (0)