lodash-es (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package lodash-es, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2019-10744 — CVSS 9.1 (critical): Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or…
CVE-2026-4800 — CVSS 8.1 (high): Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in…
CVE-2021-23337 — CVSS 7.2 (high): Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2019-1010266 — CVSS 6.5 (medium): lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is…
CVE-2026-2950 — CVSS 6.5 (medium): Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for…
CVE-2025-13465 — CVSS 5.3 (medium): Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass…
CVE-2020-28500 — CVSS 5.3 (medium): Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd…