DEBIAN-CVE-2026-2950

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-2950
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2950.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-2950
Upstream
Published
2026-03-31T20:16:26.207Z
Modified
2026-04-28T20:32:35.911685Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

References

Affected packages

Debian:11 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.173-1
4.17.21+dfsg+~cs8.31.189.20210220-1
4.17.21+dfsg+~cs8.31.189.20210220-2~bpo11+1
4.17.21+dfsg+~cs8.31.189.20210220-2
4.17.21+dfsg+~cs8.31.189.20210220-3
4.17.21+dfsg+~cs8.31.196.20210220-1
4.17.21+dfsg+~cs8.31.196.20210220-2
4.17.21+dfsg+~cs8.31.198.20210220-1
4.17.21+dfsg+~cs8.31.198.20210220-2
4.17.21+dfsg+~cs8.31.198.20210220-3
4.17.21+dfsg+~cs8.31.198.20210220-4
4.17.21+dfsg+~cs8.31.198.20210220-5
4.17.21+dfsg+~cs8.31.198.20210220-6
4.17.21+dfsg+~cs8.31.198.20210220-7
4.17.21+dfsg+~cs8.31.198.20210220-8
4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+1
4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+2
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1
4.18.1+dfsg-2
4.18.1+dfsg-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2950.json"

Debian:12 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1
4.18.1+dfsg-2
4.18.1+dfsg-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2950.json"

Debian:13 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1
4.18.1+dfsg-2
4.18.1+dfsg-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2950.json"

Debian:14 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.18.1+dfsg-1

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-2950.json"