lodash 4.18.0

Direct Vulnerabilities

Known vulnerabilities in the lodash package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of `options.imports` key names in `_.template`. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If `Object.prototype` has been polluted, inherited properties may also be copied into the imports object and executed. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to the incomplete fix for CVE-2021-23337. How to fix Arbitrary Code Injection? Upgrade `lodash` to version 4.18.1 or higher.	<4.18.1
M Prototype Pollution lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the `_.unset` and `_.omit` functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour. Notes: Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue. This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members. How to fix Prototype Pollution? Upgrade `lodash` to version 4.18.1 or higher.	>=4.0.0 <4.18.1

Vulnerability

Vulnerable Version

Arbitrary Code Injection

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to the incomplete fix for CVE-2021-23337.

How to fix Arbitrary Code Injection?

Upgrade lodash to version 4.18.1 or higher.

<4.18.1

Prototype Pollution

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete properties from built-in prototypes by supplying array-wrapped path segments, potentially impacting application behaviour.

Notes:

Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.
This issue is due to incomplete fix for CVE-2025-13465 which protects only against string key members.

How to fix Prototype Pollution?

Upgrade lodash to version 4.18.1 or higher.

>=4.0.0 <4.18.1

lodash@4.18.0

Lodash modular utilities.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically