lodash CVE Vulnerabilities & Metrics

Focus on lodash vulnerabilities and metrics.

Last updated: 08 Mar 2026, 23:25 UTC

About lodash Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with lodash. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total lodash CVEs: 8
Earliest CVE date: 07 Jun 2018, 02:29 UTC
Latest CVE date: 21 Jan 2026, 20:16 UTC

Latest CVE reference: CVE-2025-13465

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical lodash CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.81

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	7
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS lodash CVEs

These are the five CVEs with the highest CVSS scores for lodash, sorted by severity first and recency.

CVE-2018-16487 lodash Published on 01 Feb 2019, 18:29 UTC (CVSS: 6.8)
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
CVE-2021-23337 lodash Published on 15 Feb 2021, 13:15 UTC (CVSS: 6.5)
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2019-10744 lodash Published on 26 Jul 2019, 00:15 UTC (CVSS: 6.4)
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVE-2020-8203 lodash Published on 15 Jul 2020, 17:15 UTC (CVSS: 5.8)
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
CVE-2020-28500 lodash Published on 15 Feb 2021, 11:15 UTC (CVSS: 5.0)
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

All CVEs for lodash

CVE-2025-13465 lodash vulnerability CVSS: 0 21 Jan 2026, 20:16 UTC

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CVE-2021-23337 lodash vulnerability CVSS: 6.5 15 Feb 2021, 13:15 UTC

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE-2020-28500 lodash vulnerability CVSS: 5.0 15 Feb 2021, 11:15 UTC

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVE-2020-8203 lodash vulnerability CVSS: 5.8 15 Jul 2020, 17:15 UTC

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVE-2019-10744 lodash vulnerability CVSS: 6.4 26 Jul 2019, 00:15 UTC

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVE-2019-1010266 lodash vulnerability CVSS: 4.0 17 Jul 2019, 21:15 UTC

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

CVE-2018-16487 lodash vulnerability CVSS: 6.8 01 Feb 2019, 18:29 UTC

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVE-2018-3721 lodash vulnerability CVSS: 4.0 07 Jun 2018, 02:29 UTC

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.