Package "node-lodash"
| Name: |
node-lodash
|
Description: |
Lo-dash is a Node.js utility library
|
| Latest version: |
4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 |
| Release: |
questing (25.10) |
| Level: |
security |
| Repository: |
universe |
| Homepage: |
https://lodash.com/ |
Links
Download "node-lodash"
Other versions of "node-lodash" in Questing
Packages in group
Deleted packages are displayed in grey.
Changelog
|
node-lodash (4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1) questing-security; urgency=medium
* SECURITY UPDATE: prototype pollution in baseUnset
- debian/patches/CVE-2025-13465.patch: add path traversal guards
in baseUnset to block __proto__ and constructor.prototype paths in
lodash.js, test/test.js.
- CVE-2025-13465
* SECURITY UPDATE: prototype pollution in baseUnset (bypass)
- debian/patches/CVE-2026-2950.patch: use toKey() to normalize path
segments and block constructor/prototype as non-terminal keys in
lodash.js, test/test.js.
- CVE-2026-2950
* SECURITY UPDATE: command injection via _.template imports keys
- debian/patches/CVE-2026-4800_1.patch: validate imports key names
against reForbiddenIdentifierChars and switch assignInWith to
assignWith in lodash.js, test/test.js.
- debian/patches/CVE-2026-4800_2.patch: fix test references in
test/test.js.
- CVE-2026-4800
-- Shafayat Hossain Majumder <email address hidden> Mon, 08 Jun 2026 16:50:12 -0400
|
| CVE-2025-13465 |
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths w |
| CVE-2026-2950 |
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: |
| CVE-2026-4800 |
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but di |
|
About
-
Send Feedback to @ubuntu_updates
