npm vulnerability intelligence

lodash NPM Package
Vulnerability Check

Lodash modular utilities.

Critical MIT v4.18.1
Vulnerability Analysis OSV Live

lodash

v4.18.1 · MIT · 155,953,035 dl/wk

Advisory Breakdown

Critical 1
High 4
Moderate 5
Low 0

Severity Rating

Critical

10 advisories

Critical

Weekly downloads

155,953,035

Total advisories

10

Latest version

4.18.1

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

10
GHSA-29mw-wpgm-hmr9 CVE-2020-28500 moderate

Regular Expression Denial of Service (ReDoS) in lodash

Affected: >=4.0.0 <4.17.21 Fixed in: 4.17.21 Updated Sep 29, 2025
View source
GHSA-35jh-r3h4-6jhm CVE-2021-23337 high

Command Injection in lodash

Affected: >=0 <4.17.21 Fixed in: 4.17.21 Updated Aug 12, 2025
View source
GHSA-4xc9-xhrj-v574 CVE-2018-16487 high

Prototype Pollution in lodash

Affected: >=0 <4.17.11 Fixed in: 4.17.11 Updated Aug 12, 2025
View source
GHSA-f23m-r3pf-42rh CVE-2026-2950 moderate

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Affected: >=0 <4.18.0, >=4.0.0 <4.18.0 Fixed in: 4.18.0 Updated Apr 2, 2026
View source
GHSA-fvqr-27wr-82fm CVE-2018-3721 moderate

Prototype Pollution in lodash

Affected: >=0 <4.17.5 Fixed in: 4.17.5 Updated Aug 12, 2025
View source
GHSA-jf85-cpcp-j695 CVE-2019-10744 critical

Prototype Pollution in lodash

Affected: >=0 <4.17.12, >=0 <4.17.14, >=0 <4.17.13, >=0 <4.6.1 Fixed in: 4.17.12, 4.17.14, 4.17.13, 4.6.1 Updated Mar 14, 2026
View source
GHSA-p6mc-m468-83gw CVE-2020-8203 high

Prototype Pollution in lodash

Affected: >=3.7.0 <4.17.19, >=3.7.0 <4.17.20 Fixed in: 4.17.19, 4.17.20 Updated Aug 12, 2025
View source
GHSA-r5fr-rjxr-66jc CVE-2026-4800 high

lodash vulnerable to Code Injection via `_.template` imports key names

Affected: >=4.0.0 <4.18.0 Fixed in: 4.18.0 Updated Apr 2, 2026
View source
GHSA-x5rq-j2xg-h7qm CVE-2019-1010266 moderate

Regular Expression Denial of Service (ReDoS) in lodash

Affected: >=4.7.0 <4.17.11 Fixed in: 4.17.11 Updated Mar 13, 2026
View source
GHSA-xxjr-mmjv-4gpg CVE-2025-13465 moderate

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

Affected: >=4.0.0 <4.17.23 Fixed in: 4.17.23 Updated Feb 4, 2026
View source

Checked Jun 6, 2026, 4:18 AM from npm and OSV.dev

Package metadata

From the npm registry

Package name
lodash
Ecosystem
npm
Latest version
4.18.1
License
MIT
Weekly downloads
155,953,035
Repository
Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows
Login attempts
API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/6/2026, 4:18:37 AM