Back

Multiple Lodash Vulnerabilities Affecting Ubuntu Versions

Severity: High (Score: 72.5)

Sources: Ubuntu, Linuxsecurity

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: ubuntu, issue, lodash, prototype, pollution, critical, vuln

Severity indicators: critical, issue, ot

Summary

Multiple vulnerabilities in Lodash were discovered, affecting several Ubuntu LTS versions including 16.04, 18.04, 20.04, 22.04, 24.04, and 25.10. The vulnerabilities include a prototype pollution issue in the zipObjectDeep function (CVE-2020-8203), a denial of service issue in the toNumber, trim, and trimEnd functions (CVE-2020-28500), and improper input sanitization in the template function (CVE-2021-23337). An attacker could exploit these vulnerabilities to modify application behavior, consume excessive system resources, or execute arbitrary commands. The issues were confirmed by various researchers and are critical for users of the affected Ubuntu versions. Users are advised to update their systems to mitigate these vulnerabilities. The vulnerabilities have been patched in the latest package versions available through Ubuntu Pro. Key Points: • Lodash vulnerabilities affect multiple Ubuntu LTS versions, including 16.04 to 26.04. • Critical issues include prototype pollution and denial of service vulnerabilities. • Users are urged to update their systems to the latest patched versions.

Detailed Analysis

**Impact** Ubuntu users across multiple LTS versions (16.04, 18.04, 20.04, 22.04, 24.04, 25.10, and 26.04) are affected by these Lodash vulnerabilities. The issues could lead to unauthorized modification of application behavior, denial of service, and arbitrary code execution, potentially impacting any sector relying on these Ubuntu distributions. The vulnerabilities pose risks to applications using Lodash, especially in environments processing untrusted input, with global geographic scope due to Ubuntu’s widespread use. **Technical Details** The vulnerabilities include prototype pollution in the `zipObjectDeep`, `unset`, and `omit` functions (CVE-2020-8203, CVE-2025-13465, CVE-2026-2950), a regular expression denial of service in `toNumber`, `trim`, and `trimEnd` functions (CVE-2020-28500), and improper input validation in the `template` function leading to arbitrary code execution (CVE-2021-23337, CVE-2026-4800). Attackers could exploit these flaws by supplying crafted inputs to Lodash functions, affecting the application logic or causing resource exhaustion. No specific malware, tools, or IOCs were reported. **Recommended Response** Apply the updated Lodash packages provided in Ubuntu Security Notice USN-8411-1 immediately, prioritizing systems running Ubuntu 18.04 LTS through 26.04 LTS. Versions include libjs-lodash and node-lodash packages with fixes available via Ubuntu Pro or standard updates. Monitor application logs for unusual input handling or resource spikes indicative of exploitation attempts. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • USN-8411-1: Lodash vulnerabilities — Ubuntu · 2026-06-09
    It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function. An attacker could possibly use this issue to modify application behavior. This issue only aff…
  • Ubuntu 26.04 LTS Lodash Critical Prototype Pollution Vuln USN-8411 — Linuxsecurity · 2026-06-09
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS…

Timeline

  • 2020-07-15 — CVE-2020-8203 published: Prototype pollution vulnerability in Lodash's zipObjectDeep function was disclosed, affecting Ubuntu 18.04 and 20.04.
  • 2021-02-15 — CVE-2020-28500 published: Denial of service vulnerability in Lodash's toNumber, trim, and trimEnd functions was disclosed, affecting Ubuntu 18.04 and 20.04.
  • 2021-02-15 — CVE-2021-23337 published: Improper input sanitization vulnerability in Lodash's template function was disclosed, affecting Ubuntu 16.04, 18.04, and 20.04.
  • 2026-01-21 — CVE-2025-13465 published: New prototype pollution vulnerability in Lodash was disclosed, affecting Ubuntu 16.04 to 26.04.
  • 2026-03-31 — CVE-2026-4800 and CVE-2026-2950 published: New vulnerabilities in Lodash were disclosed, affecting multiple Ubuntu versions.
  • 2026-06-09 — Security notice released: Ubuntu issued USN-8411-1, detailing multiple Lodash vulnerabilities and urging users to update.

CVEs

  • CVE-2020-28500
  • CVE-2020-8203
  • CVE-2021-23337
  • CVE-2025-13465
  • CVE-2026-2950
  • CVE-2026-4800

Related entities

  • DDoS (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-1321 - Prototype Pollution (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • Ubuntu (Company)
  • Prototype Pollution (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed