PackageFix / Fix Guides / npm / lodash
lodash 4.17.21 — current safe version

lodash 4.17.21 has no known unpatched CVEs. It patches CVE-2021-23337 (zipObjectDeep), CVE-2020-8203 (set __proto__ blocked), and CVE-2019-10744. There is no lodash 5.x — 4.17.21 is the latest release.

All lodash CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

lodash is one of the most-downloaded JavaScript utility libraries. It has had several high-severity CVEs, mostly prototype pollution and command injection. All are fixed in 4.17.21.

npm 50M+ weekly downloads 6 CVEs total 1 CRITICAL 🔴 CISA KEV

CVE history — all 6 known vulnerabilities

🔴 1 CVE on CISA KEV — actively exploited in real attacks

CVE ID Year Severity Description Fix
CVE-2018-3721 2018 MEDIUM Prototype pollution via defaultsDeep Fixed in 4.17.5
CVE-2018-16487 2018 HIGH Prototype pollution via merge Fixed in 4.17.11
CVE-2019-1010266 2019 MEDIUM Regular expression DoS in trim functions Fixed in 4.17.11
CVE-2019-10744 2019 CRITICAL Prototype pollution via defaultsDeep (bypass) Fixed in 4.17.12
CVE-2020-8203 2020 🔴HIGH Prototype pollution via zipObjectDeep and merge — CISA KEV Fixed in 4.17.21
CVE-2021-23337 2021 HIGH Command injection via template function Fixed in 4.17.21

Current safe version

✓ Update to 4.17.21

The latest safe version addresses all 6 known CVEs listed above.

Before and after

Vulnerable:

"lodash": "4.17.15"

Fixed:

"lodash": "4.17.21"

Then run: npm install

Which packages pull in lodash?

lodash is one of the most common transitive dependencies in the npm ecosystem:

PackageDownloadsWhy
webpackvariesWebpack uses lodash for internal utilities
babelvariesBabel toolchain pulls in lodash
gatsbyvariesGatsby framework — multiple lodash paths
react-scriptslegacyCreate React App — lodash throughout
aws-sdkvariesAWS SDK v2 heavily uses lodash

Force safe lodash version across all transitive paths:

Paste your manifest — see your exact installed version against this full CVE list.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How many CVEs does lodash have?
lodash has 6 known CVEs, all fixed in version 4.17.21. The most severe are the prototype pollution vulnerabilities CVE-2020-8203 (CISA KEV) and CVE-2019-10744 (CRITICAL). Keeping lodash at 4.17.21 addresses all of them.
Is lodash safe to use in 2026?
Yes — lodash 4.17.21 has no known unpatched CVEs. That said, lodash is increasingly replaced by native JavaScript for many operations. If you're starting a new project, consider whether you need lodash or if native Array/Object methods cover your use cases.
Why does lodash have so many prototype pollution CVEs?
lodash does deep object merging and manipulation — functions like merge(), defaultsDeep(), and zipObjectDeep(). These operations are inherently tricky to implement safely when user-controlled keys are involved. The team patched each variant as they were discovered.
What is CISA KEV and why is CVE-2020-8203 on it?
CISA KEV (Known Exploited Vulnerabilities) is a catalog of CVEs confirmed confirmed as exploited per CISA KEV. CVE-2020-8203 was added because attackers were using lodash prototype pollution to bypass authentication in web applications. It means you should treat this as urgent, not just routine.

Related

lodash Critical CVEs

Severity breakdown

PackageFix vs Sonatype

Tool comparison

PackageFix vs Mend

Tool comparison

CVE-2020-8203 Detail

CISA KEV — prototype pollution

What is Prototype Pollution?

Plain-English explanation

Fix minimist

Another prototype pollution CVE

npm Security Overview

All npm vulnerability guides