Safeguard
Tag

lodash

Safeguard articles tagged "lodash" — guides, analysis, and best practices for software supply chain and application security.

9 articles

Security Guides

Is Lodash Safe? A 2026 Security Guide

Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.

Jul 1, 20266 min read
Vulnerability Analysis

lodash prototype pollution via zipObjectDeep (CVE-2020-8203)

CVE-2020-8203 lets attackers pollute Object.prototype via lodash's zipObjectDeep. Learn affected versions, CVSS/EPSS context, and remediation steps.

Jan 12, 20267 min read
Vulnerability Analysis

lodash defaultsDeep prototype pollution (CVE-2019-10744)

A critical prototype pollution flaw in lodash's defaultsDeep (CVE-2019-10744) lets attackers corrupt Object.prototype. Here's the impact and how to fix it.

Jan 12, 20268 min read
Vulnerability Analysis

lodash template code injection (CVE-2021-23337)

CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.

Jan 12, 20268 min read
Vulnerability Analysis

lodash property injection via merge functions (CVE-2018-16487)

CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.

Jan 4, 20267 min read
Open Source Security

lodash zipObjectDeep Prototype Pollution (CVE-2020-8203)

CVE-2020-8203 is a prototype pollution flaw in lodash's zipObjectDeep, affecting versions before 4.17.19. Here's the impact, timeline, and how to remediate it.

Dec 1, 20258 min read
Vulnerability Analysis

CVE-2018-16487: Prototype pollution in lodash via merge/m...

CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.

Oct 17, 20257 min read
Vulnerability Analysis

CVE-2020-8203: Prototype pollution in lodash zipObjectDeep

CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.

Oct 17, 20258 min read
Vulnerability Analysis

CVE-2021-23337: Command injection in lodash template func...

CVE-2021-23337 enables command injection via lodash's template function in versions before 4.17.21. Here's the CVSS context, timeline, and how to remediate it.

Oct 16, 20257 min read
lodash — Safeguard Blog