## Lodash Security Update: Prototype Pollution Vulnerability in `_.unset` and `_.omit` Functions (CVE-2026-2950)
A critical security update for the ubiquitous JavaScript utility library Lodash patches a newly disclosed prototype pollution vulnerability. The flaw, tracked as CVE-2026-2950, affects the `_.unset` and `_.omit` functions in versions 4.17.23 and earlier, allowing an attacker to bypass a previous fix and potentially manipulate an application's object prototype.

The vulnerability represents a bypass of the earlier CVE-2025-13465 patch. That fix only guarded against string key members, leaving a path open for exploitation. The update to version 4.18.1 directly addresses this specific security gap in the library's core utility functions, which are used by millions of projects for data manipulation.

This incident highlights the persistent and evolving threat of prototype pollution in foundational open-source dependencies. The fact that a prior patch was insufficient underscores the complexity of securing widely-used utility functions. Organizations and developers relying on Lodash must prioritize this update to mitigate the risk of remote code execution or other malicious outcomes stemming from polluted object prototypes. The dependency's massive install base means the security exposure is significant, requiring immediate attention from development and security teams to audit and update their dependency trees.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, open-source, javascript, vulnerability, software-dependency
- **Credibility**: unverified
- **Published**: 2026-04-02 00:26:56
- **ID**: 46258
- **URL**: https://whisperx.ai/en/intel/46258