AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-f23m-r3pf-42rh: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 1, 2026CVE-2026-2950

Summary

Lodash versions 4.17.23 and earlier have a vulnerability in the `_.unset` and `_.omit` functions that allows prototype pollution (modifying built-in object templates like Object.prototype that affect all objects). An attacker can bypass the previous security fix by using array-wrapped path segments to delete properties from these core prototypes, though they cannot change how those prototypes work.

Solution / Mitigation

Upgrade to Lodash version 4.18.0 or later. The source states: 'This issue is patched in 4.18.0.'

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 1, 2026

Classification

Attack Type

Model Poisoning

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedFramework

Affected Packages

lodash.unset@>= 4.0.0, < 4.18.0 (fixed: 4.18.0)lodash-amd@<= 4.17.23 (fixed: 4.18.0)lodash-es@<= 4.17.23 (fixed: 4.18.0)lodash@<= 4.17.23 (fixed: 4.18.0)

Related Issues

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

Similar attackNVD/CVE Database

info

Model Stability Defense Against Model Poisoning in Federated Learning

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-f23m-r3pf-42rh

First tracked: April 1, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 75%