==========================================================================
Ubuntu Security Notice USN-8411-1
June 09, 2026

node-lodash vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Lodash.

Software Description:
- node-lodash: A modern JavaScript utility library delivering modularity, performance, & extras

Details:

It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)

Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)

Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could possibly use this issue to
inject and execute arbitrary commands. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337)

It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from global prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and
Ubuntu 25.10. (CVE-2025-13465)

It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from built-in prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950)

It was discovered that Lodash did not properly validate certain inputs
to the template function. An attacker could possibly use this issue to
inject malicious code during template processing, resulting in arbitrary
code execution. (CVE-2026-4800)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  libjs-lodash                    4.17.23+dfsg-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     4.17.23+dfsg-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash-packages            4.17.23+dfsg-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 25.10
  libjs-lodash                    4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1
  node-lodash                     4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1
  node-lodash-packages            4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1

Ubuntu 24.04 LTS
  libjs-lodash                    4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro
  node-lodash-packages            4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libjs-lodash                    4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash-packages            4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libjs-lodash                    4.17.15+dfsg-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     4.17.15+dfsg-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash-packages            4.17.15+dfsg-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libjs-lodash                    4.17.4+dfsg-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     4.17.4+dfsg-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libjs-lodash                    2.4.1+dfsg-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  node-lodash                     2.4.1+dfsg-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8411-1
  CVE-2020-28500, CVE-2020-8203, CVE-2021-23337, CVE-2025-13465,
  CVE-2026-2950, CVE-2026-4800

Package Information:
  https://launchpad.net/ubuntu/+source/node-lodash/4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1