Lodash is a widely used npm package. As of 2026-05-24, there are 10 known vulnerabilities in the OSV database. The latest stable version is 4.18.1. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (10)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2019-10744 | CRITICAL | 9.5 | 0 to 4.17.12; 0 to 4.17.14; 0 to 4.17.13; 0 to 4.6.1; 0 to 4.17.12 | 4.17.12 | Prototype Pollution in lodash |
| CVE-2021-23337 | HIGH | 7.5 | 0 to 4.17.21; 0 to 4.17.21; >= 0; >= 0; 0 to 4.17.21 | 4.17.21 | Command Injection in lodash |
| CVE-2018-16487 | HIGH | 7.5 | 0 to 4.17.11; 0 to 4.17.11 | 4.17.11 | Prototype Pollution in lodash |
| CVE-2020-8203 | HIGH | 7.5 | 3.7.0 to 4.17.19; 3.7.0 to 4.17.20; >= 4.0.0; >= 3.7.0; >= 0; >= 0; >= 0; 3.7.0 to 4.17.19 | 4.17.19 | Prototype Pollution in lodash |
| CVE-2026-4800 | HIGH | 7.5 | 4.0.0 to 4.18.0; 4.0.0 to 4.18.0; 4.0.0 to 4.18.0; 4.0.0 to 4.18.0 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| CVE-2020-28500 | MODERATE | 5.0 | 4.0.0 to 4.17.21; 4.0.0 to 4.17.21; >= 4.0.0; >= 4.0.0; 4.0.0 to 4.17.21 | 4.17.21 | Regular Expression Denial of Service (ReDoS) in lodash |
| CVE-2026-2950 | MODERATE | 5.0 | 0 to 4.18.0; 0 to 4.18.0; 0 to 4.18.0; 4.0.0 to 4.18.0 | 4.18.0 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` |
| CVE-2018-3721 | MODERATE | 5.0 | 0 to 4.17.5; 0 to 4.17.5 | 4.17.5 | Prototype Pollution in lodash |
| CVE-2019-1010266 | MODERATE | 5.0 | 4.7.0 to 4.17.11; 4.7.0 to 4.17.11; 4.7.0 to 4.17.11; 4.7.0 to 4.17.11 | 4.17.11 | Regular Expression Denial of Service (ReDoS) in lodash |
| CVE-2025-13465 | MODERATE | 5.0 | 4.0.0 to 4.17.23; >= 4.0.0; 4.0.0 to 4.17.23; 4.0.0 to 4.17.23 | 4.17.23 | Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions |
Security Recommendations
- Pin Lodash to the latest stable version (4.18.1) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
npm audit - Review your lock file (.package-lock.json) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Lodash safe to use?
Lodash is actively maintained and widely used. As of 2026-05-24, there are 10 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Lodash have?
The OSV database currently lists 10 vulnerabilities for Lodash. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Lodash to fix vulnerabilities?
Run npm update lodash or npm install lodash@latest to get the newest version. Use npm audit to identify vulnerable dependencies in your project. Enable automated updates with Dependabot or Renovate to stay current.
Using AI-Generated Code with Lodash?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Lodash, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit