CVE-2026-2950 Overview
CVE-2026-2950 is a prototype pollution vulnerability affecting Lodash versions 4.17.23 and earlier. The vulnerability exists in the _.unset and _.omit functions, where an attacker can bypass the existing security fix for CVE-2025-13465 by using array-wrapped path segments instead of string key members. This allows unauthorized deletion of properties from built-in JavaScript prototypes including Object.prototype, Number.prototype, and String.prototype.
Critical Impact
Attackers can delete prototype properties from core JavaScript objects by bypassing the CVE-2025-13465 patch, potentially causing application instability or enabling further attacks through prototype chain manipulation.
Affected Products
- Lodash versions 4.17.23 and earlier
- Applications using vulnerable _.unset function
- Applications using vulnerable _.omit function
Discovery Timeline
- 2026-03-31 - CVE-2026-2950 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-2950
Vulnerability Analysis
This prototype pollution vulnerability (CWE-1321) stems from an incomplete fix for a previous security issue. The original patch for CVE-2025-13465 implemented guards against string key members in the _.unset and _.omit functions. However, the validation logic fails to account for array-wrapped path segments, creating a bypass mechanism.
Prototype pollution vulnerabilities in JavaScript libraries like Lodash are particularly dangerous because they can affect the fundamental behavior of objects throughout an application. When an attacker successfully pollutes a prototype, all objects inheriting from that prototype can be affected.
Importantly, while this vulnerability allows deletion of prototype properties, it does not permit overwriting or redefining their original behavior. This limits the attack surface compared to full prototype pollution but still poses significant risks to application stability and security.
Root Cause
The root cause is insufficient input validation in the path parsing logic of _.unset and _.omit functions. The fix for CVE-2025-13465 only validated string key members, leaving array-wrapped path segments unvalidated. This allows attackers to craft malicious inputs that bypass the security checks and reach prototype properties.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker can supply specially crafted array-wrapped path arguments to the vulnerable functions. When the application processes these inputs through _.unset or _.omit, the attacker can delete properties from built-in prototypes.
For example, while string-based paths like "__proto__.toString" are blocked by the existing fix, passing the equivalent as an array of path segments bypasses the validation entirely. This allows deletion of critical prototype methods and properties.
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-2950
Indicators of Compromise
- Unexpected undefined values when accessing standard prototype methods like toString, valueOf, or hasOwnProperty
- Application crashes or TypeError exceptions related to missing prototype methods
- Unusual array-formatted arguments being passed to Lodash utility functions
- Audit logs showing paths containing __proto__, constructor, or prototype as array elements
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify Lodash versions prior to 4.18.0 in your codebase
- Deploy runtime application self-protection (RASP) to monitor for prototype pollution attempts
- Use static analysis tools to detect potentially dangerous usage patterns of _.unset and _.omit
- Monitor application logs for unexpected type errors that may indicate prototype manipulation
Monitoring Recommendations
- Enable verbose logging for input validation failures in application middleware
- Set up alerts for patterns matching prototype pollution attempts in web application firewalls
- Monitor package dependency manifests for outdated Lodash versions across your organization
- Implement integrity checks for critical prototype methods at application startup
How to Mitigate CVE-2026-2950
Immediate Actions Required
- Upgrade Lodash to version 4.18.0 or later immediately
- Audit all application code for usage of _.unset and _.omit functions
- Implement input validation to sanitize user-controlled data before passing to Lodash functions
- Consider using Object.freeze() on critical prototypes as a defense-in-depth measure
Patch Information
This vulnerability is patched in Lodash version 4.18.0. The vendor has confirmed that upgrading to this version resolves the bypass issue by implementing comprehensive validation for both string and array path formats.
For more information, refer to the GitHub Security Advisory.
Workarounds
- No official workarounds are available - upgrading to version 4.18.0 is the only recommended remediation
- As a temporary measure, avoid passing user-controlled input directly to _.unset or _.omit functions
- Consider replacing vulnerable function calls with native JavaScript alternatives that don't traverse prototype chains
- Implement application-level input sanitization to reject array paths containing prototype-related strings
# Upgrade Lodash to patched version
npm update lodash@4.18.0
# Verify installed version
npm list lodash
# Audit for vulnerable versions across project
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
