Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Debian LTS node-lodash Serious Prototype Pollution Vulnerability DLA-4663-1

debian lts
Calendar Grey July 1, 2026
Dist Debian Esm H88
Upgrade node-lodash to mitigate prototype pollution and code injection vulnerabilities identified in CVE-2025-13465 and more.
Several vulnerabilities were discovered in node-lodash, a Node.js module providing utility functions for common programming tasks

Summary

CVE-2025-13465

Prototype pollution in the _.unset and _.omit functions. A
crafted property path could be used to delete properties from
built-in prototypes (such as Object.prototype), leading to
availability and integrity issues.

CVE-2026-2950

An incomplete fix for CVE-2025-13465. The initial guard only
handled string key members and the literal "constructor.prototype"
sequence, so it could be bypassed using array-wrapped path
segments (for example [['constructor'], ['keys']]), via
constructor static methods, or from primitive roots, again allowing
deletion of properties on shared built-in prototypes.

CVE-2026-4800

Code injection in the _.template function. An incomplete fix for
CVE-2021-23337: the "variable" option was validated but the
"imports" option key names were not. Untrusted input passed as
imports key names could inject default-parameter expressions that
execute arbitrary code at template compilation time via the same

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: node-lodash
Version: 4.17.21+dfsg+~cs8.31.173-1+deb11u1
CVE ID: CVE-2025-13465 CVE-2026-2950 CVE-2026-4800
Debian Bug: 1126265

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here