lodash 4.17.20

Direct Vulnerabilities

Known vulnerabilities in the lodash package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of `options.imports` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to the incomplete fix for CVE-2021-23337. How to fix Arbitrary Code Injection? Upgrade `lodash` to version 4.18.1 or higher.	<4.18.1
M Prototype Pollution lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the `_.unset` and `_.omit` functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members. How to fix Prototype Pollution? Upgrade `lodash` to version 4.18.1 or higher.	>=4.0.0 <4.18.1
M Prototype Pollution lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the `_.unset` and `_.omit` functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties. How to fix Prototype Pollution? Upgrade `lodash` to version 4.17.23 or higher.	>=4.0.0 <4.17.23
H Code Injection lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Code Injection due the improper validation of `options.variable` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. How to fix Code Injection? Upgrade `lodash` to version 4.17.21 or higher.	<4.17.21
M Regular Expression Denial of Service (ReDoS) lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. POC var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `lodash` to version 4.17.21 or higher.	<4.17.21

Vulnerability

Vulnerable Version

Arbitrary Code Injection

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to the incomplete fix for CVE-2021-23337.

How to fix Arbitrary Code Injection?

Upgrade lodash to version 4.18.1 or higher.

<4.18.1

Prototype Pollution

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members.

How to fix Prototype Pollution?

Upgrade lodash to version 4.18.1 or higher.

>=4.0.0 <4.18.1

Prototype Pollution

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

How to fix Prototype Pollution?

Upgrade lodash to version 4.17.23 or higher.

>=4.0.0 <4.17.23

Code Injection

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

How to fix Code Injection?

Upgrade lodash to version 4.17.21 or higher.

<4.17.21

Regular Expression Denial of Service (ReDoS)

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

POC

var lo = require('lodash');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0)

var time1 = Date.now();
lo.toNumber(s)
var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1)

var time2 = Date.now();
lo.trimEnd(s)
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade lodash to version 4.17.21 or higher.

<4.17.21

lodash@4.17.20

Lodash modular utilities.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

POC