Skip to content

[Aikido] Fix security issue in lodash-es via minor version upgrade from 4.17.21 to 4.18.1 in client#797

Closed
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-35158960-715l
Closed

[Aikido] Fix security issue in lodash-es via minor version upgrade from 4.17.21 to 4.18.1 in client#797
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-35158960-715l

Conversation

@aikido-autofix
Copy link
Copy Markdown

@aikido-autofix aikido-autofix Bot commented May 16, 2026
edited
Loading

Upgrade lodash-es to patch critical RCE vulnerability in _.template via options.imports injection and medium prototype pollution issues in _.unset and _.omit functions.

✅ Code not affected by breaking changes.

✅ No breaking changes from the lodash-es upgrade affect this codebase. While lodash-es is present as a transitive dependency through CKEditor5 packages, the codebase does not directly use the affected methods (_.unset, _.omit, or _.template). All occurrences of these terms in the codebase are unrelated to lodash-es functionality (MongoDB operators, application-specific templates, and documentation).

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description 
4.18.0
 _.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched. 
4.18.0
 _.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.
✅ 3 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-4800
 
🚨 CRITICAL
 [lodash-es] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation. 
CVE-2025-13465
 
MEDIUM
 [lodash-es] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality. 
CVE-2026-2950
 
MEDIUM
 [lodash-es] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.

@aikido-autofix
Copy link
Copy Markdown
Author

aikido-autofix Bot commented May 16, 2026

Closed by Aikido: a new AutoFix has been created → #798

@aikido-autofix aikido-autofix Bot closed this May 16, 2026
@aikido-autofix aikido-autofix Bot deleted the fix/aikido-security-update-packages-35158960-715l branch May 16, 2026 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants