Skip to content

Update dependency lodash to v4.17.23 [SECURITY]#57

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-lodash-vulnerability
Open

Update dependency lodash to v4.17.23 [SECURITY]#57
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-lodash-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 22, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

Prototype Pollution in lodash

CVE-2019-10744 / GHSA-jf85-cpcp-j695

More information

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

  • CVSS Score: 7.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Prototype Pollution in lodash

CVE-2020-8203 / GHSA-p6mc-m468-83gw

More information

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions

CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg

More information

Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-lodash-vulnerability branch March 27, 2026 02:16
@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Update dependency lodash to v4.17.23 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 37329ff to 3cce935 Compare March 30, 2026 17:45
@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Mar 31, 2026
@renovate renovate Bot closed this Mar 31, 2026
@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Update dependency lodash to v4.17.23 [SECURITY] Apr 1, 2026
@renovate renovate Bot reopened this Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 3cce935 to 1f51d38 Compare April 1, 2026 14:38
@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency lodash to v4.17.23 [SECURITY] - autoclosed Update dependency lodash to v4.17.23 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 1f51d38 to 501e1c2 Compare April 27, 2026 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants