CVE-2026-2950 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.23.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz
Path to dependency file: /OPENAPI-REST-API/openapi-client/zapier/package.json
Path to vulnerable library: /OPENAPI-REST-API/openapi-client/zapier/node_modules/lodash/package.json,/OPENAPI-REST-API/swagger-client/nodejs-server/node_modules/lodash/package.json,/OPENAPI-REST-API/openapi-client/zapier/node_modules/zapier-platform-core/node_modules/lodash/package.json,/OPENAPI-REST-API/openapi-client/zapier/node_modules/zapier-platform-schema/node_modules/lodash/package.json
Dependency Hierarchy:
- zapier-platform-core-18.3.0.tgz (Root Library)
- ❌ lodash-4.17.23.tgz (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution: lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2026-2950 - Medium Severity Vulnerability
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz
Path to dependency file: /OPENAPI-REST-API/openapi-client/zapier/package.json
Path to vulnerable library: /OPENAPI-REST-API/openapi-client/zapier/node_modules/lodash/package.json,/OPENAPI-REST-API/swagger-client/nodejs-server/node_modules/lodash/package.json,/OPENAPI-REST-API/openapi-client/zapier/node_modules/zapier-platform-core/node_modules/lodash/package.json,/OPENAPI-REST-API/openapi-client/zapier/node_modules/zapier-platform-schema/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution: lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
Step up your Open Source Security Game with Mend here