Skip to content

UID2-6871: Fix CVE-2026-4800 lodash arbitrary code execution#186

Merged
sunnywu merged 1 commit intomainfrom
syw-UID2-6871-fix-lodash-cve-2026-4800
Apr 7, 2026
Merged

UID2-6871: Fix CVE-2026-4800 lodash arbitrary code execution#186
sunnywu merged 1 commit intomainfrom
syw-UID2-6871-fix-lodash-cve-2026-4800

Conversation

@sunnywu
Copy link
Copy Markdown
Contributor

@sunnywu sunnywu commented Apr 7, 2026

Summary

Fixes CVE-2026-4800 (HIGH severity) in lodash@4.17.21 — arbitrary code execution via untrusted input in template imports.

  • Adds "lodash": "^4.18.0" to overrides in both affected package.json files
  • Regenerated lockfiles now resolve lodash to 4.18.1

Affected paths

  • web-integrations/google-secure-signals/react-client-side/
  • web-integrations/javascript-sdk/react-client-side/

References

🤖 Generated with Claude Code

@sunnywu @claude
UID2-6871: Fix CVE-2026-4800 by upgrading lodash to 4.18.1
1ac38d0 
Add lodash override (^4.18.0) in package.json overrides for both
react-client-side apps to resolve CVE-2026-4800 in the transitive
lodash@4.17.21 dependency. Regenerated lockfiles confirm lodash@4.18.1
is now installed in place of 4.17.21.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari self-requested a review April 7, 2026 02:35
@sunnywu sunnywu merged commit 007c1cd into main Apr 7, 2026
2 checks passed
@sunnywu sunnywu deleted the syw-UID2-6871-fix-lodash-cve-2026-4800 branch April 7, 2026 02:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BehnamMozafari BehnamMozafari BehnamMozafari approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnywu @BehnamMozafari