Packages
- node-lodash - A modern JavaScript utility library delivering modularity, performance, & extras
Details
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could possibly use this issue to
inject and execute arbitrary commands. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS....
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could possibly use this issue to
inject and execute arbitrary commands. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337)
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from global prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and
Ubuntu 25.10. (CVE-2025-13465)
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the unset and omit functions. An attacker could possibly use
this issue to delete properties from built-in prototypes, resulting in
security restrictions being bypassed. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950)
It was discovered that Lodash did not properly validate certain inputs
to the template function. An attacker could possibly use this issue to
inject malicious code during template processing, resulting in arbitrary
code execution. (CVE-2026-4800)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | libjs-lodash – 4.17.23+dfsg-1ubuntu0.1~esm1 | ||
| node-lodash – 4.17.23+dfsg-1ubuntu0.1~esm1 | |||
| node-lodash-packages – 4.17.23+dfsg-1ubuntu0.1~esm1 | |||
| 25.10 questing | libjs-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 | ||
| node-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 | |||
| node-lodash-packages – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 | |||
| 24.04 LTS noble | libjs-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 | ||
| node-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 | |||
| node-lodash-packages – 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 | |||
| 22.04 LTS jammy | libjs-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 | ||
| node-lodash – 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 | |||
| node-lodash-packages – 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 | |||
| 20.04 LTS focal | libjs-lodash – 4.17.15+dfsg-2ubuntu0.1~esm1 | ||
| node-lodash – 4.17.15+dfsg-2ubuntu0.1~esm1 | |||
| node-lodash-packages – 4.17.15+dfsg-2ubuntu0.1~esm1 | |||
| 18.04 LTS bionic | libjs-lodash – 4.17.4+dfsg-1ubuntu0.1~esm1 | ||
| node-lodash – 4.17.4+dfsg-1ubuntu0.1~esm1 | |||
| 16.04 LTS xenial | libjs-lodash – 2.4.1+dfsg-3ubuntu0.1~esm1 | ||
| node-lodash – 2.4.1+dfsg-3ubuntu0.1~esm1 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.