All lodash CVEs — Complete Vulnerability History
lodash is one of the most-downloaded JavaScript utility libraries. It has had several high-severity CVEs, mostly prototype pollution and command injection. All are fixed in 4.17.21.
npm
50M+ weekly downloads
6 CVEs total
1 CRITICAL
🔴 CISA KEV
CVE history — all 6 known vulnerabilities
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-3721 | 2018 | MEDIUM | Prototype pollution via defaultsDeep | Fixed in 4.17.5 |
| CVE-2018-16487 | 2018 | HIGH | Prototype pollution via merge | Fixed in 4.17.11 |
| CVE-2019-1010266 | 2019 | MEDIUM | Regular expression DoS in trim functions | Fixed in 4.17.11 |
| CVE-2019-10744 | 2019 | CRITICAL | Prototype pollution via defaultsDeep (bypass) | Fixed in 4.17.12 |
| CVE-2020-8203 | 2020 | 🔴HIGH | Prototype pollution via zipObjectDeep and merge — CISA KEV | Fixed in 4.17.21 |
| CVE-2021-23337 | 2021 | HIGH | Command injection via template function | Fixed in 4.17.21 |
Current safe version
✓ Update to 4.17.21
The latest safe version addresses all 6 known CVEs listed above.
Before and after
Vulnerable:
"lodash": "4.17.15"
Fixed:
"lodash": "4.17.21"
Then run: npm install
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How many CVEs does lodash have?
lodash has 6 known CVEs, all fixed in version 4.17.21. The most severe are the prototype pollution vulnerabilities CVE-2020-8203 (CISA KEV) and CVE-2019-10744 (CRITICAL). Keeping lodash at 4.17.21 addresses all of them.
Is lodash safe to use in 2026?
Yes — lodash 4.17.21 has no known unpatched CVEs. That said, lodash is increasingly replaced by native JavaScript for many operations. If you're starting a new project, consider whether you need lodash or if native Array/Object methods cover your use cases.
Why does lodash have so many prototype pollution CVEs?
lodash does deep object merging and manipulation — functions like merge(), defaultsDeep(), and zipObjectDeep(). These operations are inherently tricky to implement safely when user-controlled keys are involved. The team patched each variant as they were discovered.
What is CISA KEV and why is CVE-2020-8203 on it?
CISA KEV (Known Exploited Vulnerabilities) is a catalog of CVEs confirmed being used in real attacks. CVE-2020-8203 was added because attackers were using lodash prototype pollution to bypass authentication in web applications. It means you should treat this as urgent, not just routine.