lodash — CVE history (npm)
lodash
10 CVEs affect the lodash npm package (highest CVSS 9.1). Latest disclosed: 2026-03-31. Full CVE history sourced from NVD.
Summary
- Package
lodash(npm)- Total CVEs
10- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.1- Latest disclosed
- 2026-03-31
Recent CVEs (top 10)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4800 | High | 8.1 | — | 2026-03-31 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. |
CVE-2026-2950 | Medium | 6.5 | — | 2026-03-31 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. |
CVE-2025-13465 | Medium | 5.3 | — | 2026-01-21 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. |
CVE-2021-23337 | High | 7.2 | — | 2021-02-15 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. |
CVE-2020-28500 | Medium | 5.3 | — | 2021-02-15 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. |
CVE-2020-8203 | High | 7.4 | — | 2020-07-15 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. |
CVE-2019-10744 | Critical | 9.1 | — | 2019-07-26 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. |
CVE-2019-1010266 | Medium | 6.5 | — | 2019-07-17 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. |
CVE-2018-16487 | Medium | 5.6 | — | 2019-02-01 | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. |
CVE-2018-3721 | Medium | 6.5 | — | 2018-06-07 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__… |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2019-10744 | Critical | 9.1 | — | 2019-07-26 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. |
CVE-2026-4800 | High | 8.1 | — | 2026-03-31 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. |
CVE-2020-8203 | High | 7.4 | — | 2020-07-15 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. |
CVE-2021-23337 | High | 7.2 | — | 2021-02-15 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. |
CVE-2026-2950 | Medium | 6.5 | — | 2026-03-31 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. |
CVE-2019-1010266 | Medium | 6.5 | — | 2019-07-17 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. |
CVE-2018-3721 | Medium | 6.5 | — | 2018-06-07 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__… |
CVE-2018-16487 | Medium | 5.6 | — | 2019-02-01 | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. |
CVE-2025-13465 | Medium | 5.3 | — | 2026-01-21 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. |
CVE-2020-28500 | Medium | 5.3 | — | 2021-02-15 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. |