## Aikido Codebase Exposed: Critical Lodash Vulnerabilities Require Immediate Upgrade to Patch RCE, Prototype Pollution A security audit of the Aikido project's codebase has flagged a critical dependency vulnerability, requiring an immediate upgrade of the lodash library from version 4.17.21 to 4.18.1. The outdated version contains known security flaws enabling remote code execution via template injection and prototype pollution, specifically through the `_.unset` and `_.omit` functions. These are not theoretical risks; they are active vectors that could be exploited to compromise the application. The vulnerability is present because the project's `src/components/ScoreExplorer/atoms/Request.tsx` file utilizes the `_.omit` function. However, a detailed analysis confirms the specific usage pattern is not directly affected by the breaking changes introduced in the patched versions. The code only omits the properties `'endpoint'` and `'endpointLabel'`, not the protected keys `'constructor'` or `'prototype'`. The security fixes in lodash 4.18.0+ specifically block these keys as non-terminal path arguments in `_.omit` and `_.unset` and address issues with invalid identifier characters in `_.template`—patterns absent from this codebase. This creates a high-pressure, time-sensitive remediation scenario. While the current implementation may not trigger the breaking changes, the underlying library itself remains dangerously vulnerable. The upgrade is mandatory to eliminate the exploitable security flaws in the dependency itself. The situation underscores the critical importance of proactive dependency management in software supply chains, where a single outdated library can introduce severe risk even if the immediate application code appears to use it safely. Failure to patch leaves the entire project exposed to potential attack through other vectors or future code changes. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, software supply chain, vulnerability, lodash, dependency management - **Credibility**: unverified - **Published**: 2026-04-20 18:22:58 - **ID**: 72886 - **URL**: https://whisperx.ai/en/intel/72886