Ubuntu USN · USN-8411-1

Lodash vulnerabilities

Published: Tue, 09 Jun 2026 15:16

CVE-2025-13465CVE-2020-28500CVE-2026-4800CVE-2020-8203CVE-2021-23337CVE-2026-2950

Summary

Several security issues were fixed in Lodash.

Details

It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function. An attacker could possibly use this issue to modify application behavior. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203) Liyuan Chen discovered that Lodash was vulnerable to a regular expression denial of service issue in the toNumber, trim, and trimEnd functions. An attacker could possibly use this issue to consume excessive system resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500) Marc Hassan discovered that Lodash did not properly sanitize input to the template function. An attacker could possibly use this issue to inject and execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from global prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-13465) It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit functions. An attacker could possibly use this issue to delete properties from built-in prototypes, resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950) It was discovered that Lodash did not properly validate certain inputs to the template function. An attacker could possibly use this issue to inject malicious code during template processing, resulting in arbitrary code execution. (CVE-2026-4800)

Recommended actions per Ubuntu release

StackPatch playbook auto-generated per release codename and per affected package.

Ubuntu bionic

node-lodash→4.17.4+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.4+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.4+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→4.17.4+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.4+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=4.17.4+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→4.17.4+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.4+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.4+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu focal

node-lodash→4.17.15+dfsg-2ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.15+dfsg-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.15+dfsg-2ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→4.17.15+dfsg-2ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.15+dfsg-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=4.17.15+dfsg-2ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→4.17.15+dfsg-2ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.15+dfsg-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.15+dfsg-2ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash-packages→4.17.15+dfsg-2ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.15+dfsg-2ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash-packages=4.17.15+dfsg-2ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu jammy

node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash-packages→4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash-packages=4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu noble

node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash-packages→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1apt_upgrade_esm
Fixed at 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash-packages=4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu questing

node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1apt_upgrade
Standard apt upgrade. Install 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
libjs-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1apt_upgrade
Standard apt upgrade. Install 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
node-lodash→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1apt_upgrade
Standard apt upgrade. Install 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash
```
Most apt upgrades restart their service automatically. needrestart lists anything else.
node-lodash-packages→4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1apt_upgrade
Standard apt upgrade. Install 4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1 from the apt repo.
```
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash-packages
```
Most apt upgrades restart their service automatically. needrestart lists anything else.

Ubuntu resolute

node-lodash→4.17.23+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.23+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.23+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→4.17.23+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.23+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=4.17.23+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→4.17.23+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.23+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=4.17.23+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash-packages→4.17.23+dfsg-1ubuntu0.1~esm1apt_upgrade_esm
Fixed at 4.17.23+dfsg-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash-packages=4.17.23+dfsg-1ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Ubuntu xenial

node-lodash→2.4.1+dfsg-3ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.4.1+dfsg-3ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=2.4.1+dfsg-3ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
libjs-lodash→2.4.1+dfsg-3ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.4.1+dfsg-3ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y libjs-lodash=2.4.1+dfsg-3ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
node-lodash→2.4.1+dfsg-3ubuntu0.1~esm1apt_upgrade_esm
Fixed at 2.4.1+dfsg-3ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
```
sudo pro attach <token>
sudo apt-get update
sudo apt-get install --only-upgrade -y node-lodash=2.4.1+dfsg-3ubuntu0.1~esm1
```
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.

Are YOU affected by USN-8411-1?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8411-1 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →