Vulnerability	Vulnerable Version
H Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of `options.imports` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to the incomplete fix for CVE-2021-23337. How to fix Arbitrary Code Injection? Upgrade `lodash-es` to version 4.18.1 or higher.	<4.18.1
M Prototype Pollution Affected versions of this package are vulnerable to Prototype Pollution via the `_.unset` and `_.omit` functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members. How to fix Prototype Pollution? Upgrade `lodash-es` to version 4.18.1 or higher.	>=4.0.0 <4.18.1

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to the incomplete fix for CVE-2021-23337.

How to fix Arbitrary Code Injection?

Upgrade lodash-es to version 4.18.1 or higher.

<4.18.1

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members.

How to fix Prototype Pollution?

Upgrade lodash-es to version 4.18.1 or higher.

>=4.0.0 <4.18.1

Go back to all versions of this package