lodash — CVE history (npm)

lodash

10 CVEs affect the lodash npm package (highest CVSS 9.1). Latest disclosed: 2026-03-31. Full CVE history sourced from NVD.

Summary

Package
lodash (npm)
Total CVEs
10
Actively exploited (CISA KEV)
0
Highest CVSS
9.1
Latest disclosed
2026-03-31

Recent CVEs (top 10)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4800High8.12026-03-31Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names.
CVE-2026-2950Medium6.52026-03-31Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions.
CVE-2025-13465Medium5.32026-01-21Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions.
CVE-2021-23337High7.22021-02-15Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2020-28500Medium5.32021-02-15Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVE-2020-8203High7.42020-07-15Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
CVE-2019-10744Critical9.12019-07-26Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution.
CVE-2019-1010266Medium6.52019-07-17lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption.
CVE-2018-16487Medium5.62019-02-01A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
CVE-2018-3721Medium6.52018-06-07lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__…

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2019-10744Critical9.12019-07-26Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution.
CVE-2026-4800High8.12026-03-31Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names.
CVE-2020-8203High7.42020-07-15Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
CVE-2021-23337High7.22021-02-15Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2026-2950Medium6.52026-03-31Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions.
CVE-2019-1010266Medium6.52019-07-17lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption.
CVE-2018-3721Medium6.52018-06-07lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__…
CVE-2018-16487Medium5.62019-02-01A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
CVE-2025-13465Medium5.32026-01-21Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions.
CVE-2020-28500Medium5.32021-02-15Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.