Lodash Vulnerabilities in TrueNAS Web UI (CVE-2026-4800, CVE-2025-13465, CVE-2026-2950)
Document Version: 1.0
Severity: High–Critical (CVE), Low (TrueNAS Impact)
Three vulnerabilities affect lodash 4.x, the JavaScript utility library. TrueNAS includes lodash 4.17.21 as a dependency of the Angular-based web UI (truenas_webui). All three CVEs are patched in lodash 4.18.0.
Despite the high CVSS scores, the TrueNAS impact is LOW for all three:
- CVE-2026-4800 (
_.templatecode injection, CVSS 9.8):_.templateis never imported or called anywhere in the TrueNAS web UI source. Angular’s production build tree-shaking excludes it from the delivered bundle entirely. - CVE-2025-13465 (
_.omitprototype pollution, CVSS 7.4):_.omitis used in the webui, but all call sites pass fixed TypeScript-typed object keys, not attacker-controlled path strings. - CVE-2026-2950 (
_.unset/_.omitbypass, CVSS 6.5): Bypass of the CVE-2025-13465 fix via array-wrapped path segments. Same usage analysis applies — affected functions are called with controlled arguments. Property deletion only; no prototype overwrites.
All three vulnerabilities are client-side (JavaScript executing in the browser). The web UI is an administrative interface not exposed to unauthenticated users by default.
TrueNAS Impact: LOW — Vulnerable code present in the dependency tree; practical exploitation requires attacker-controlled input to specific lodash functions that do not receive such input in the TrueNAS codebase. Upgrade to lodash 4.18.0 is the correct fix and should be applied.
- Component:
lodash.template() - CVSS: 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Description:
_.template()evaluates template strings as JavaScript code usingFunction(). Passing attacker-controlled input as a template string results in arbitrary JavaScript execution in the context of the calling application. - Affected versions: lodash < 4.18.0
- Component:
lodash.omit(),lodash.unset() - CVSS: 7.4 HIGH —
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N - Description:
_.omit()accepts dot-notation path strings to specify properties to remove. Paths such as__proto__.pollutedallow writing arbitrary properties ontoObject.prototype, affecting all objects in the JavaScript runtime. - Affected versions: lodash ≤ 4.17.21
- Component:
lodash.omit(),lodash.unset() - CVSS: 6.5 MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L - Description: Bypass of the CVE-2025-13465 fix using array-wrapped path segments (e.g.,
['__proto__', 'polluted']instead of'__proto__.polluted'). Allows deletion of properties from built-in prototypes (Object.prototype,Number.prototype,String.prototype) but does not permit overwriting prototype values. - Affected versions: lodash ≤ 4.17.23
| Component | Version | Location |
|---|---|---|
| lodash | 4.17.21 | truenas_webui/package.json — Angular web UI frontend |
All three CVEs require lodash 4.18.0 to patch. TrueNAS webui specifies "lodash": "~4.17.21" which pins to the 4.17.x range and does not automatically pick up 4.18.0.
_.template is not present in the TrueNAS webui codebase:
- No import of
_.templateorlodash/templatefound in any source file - Angular’s production build (with tree-shaking) excludes unused lodash exports from the delivered bundle
- The vulnerable code path cannot be reached by any input to the deployed application
Verdict: Not affected. The CVSS 9.8 score does not apply to TrueNAS.
_.omit is imported and used in 9 source files in the webui. All call sites follow this pattern:
// Representative usage pattern throughout webui
const filtered = _.omit(this.formValue, ['sensitiveField', 'anotherField']);
All identified call sites pass:
- Fixed string literals (hardcoded property names)
- TypeScript-typed object keys (values constrained to known enum members or interface properties)
None of the call sites pass user-supplied strings as path arguments to _.omit. The prototype pollution requires attacker-controlled path input (e.g., _.omit(obj, userInput)), which does not occur in the TrueNAS webui.
Verdict: Vulnerability present in shipped code; exploitation requires attacker-controlled input to a lodash call site, which does not exist in TrueNAS webui.
Even in a theoretical worst case, all three vulnerabilities execute as client-side JavaScript within the user’s browser session:
- The web UI is served over HTTPS to authenticated administrators
- Exploitation would require a persistent XSS or supply-chain compromise to inject attacker-controlled values into lodash calls
- Successful exploitation would affect only the attacker’s own browser session, not the server
No action is required. There is no configuration change, workaround, or patch that a TrueNAS administrator can apply to address these CVEs. The vulnerable code is bundled inside the web UI application itself.
The practical risk to your system is low: exploitation requires attacker-controlled input to specific lodash functions that receive no such input in the current TrueNAS web UI, and any exploitation would be limited to the browser session of an already-authenticated administrator.
A web UI update incorporating lodash 4.18.0 will be delivered through the normal TrueNAS software update channel. Apply TrueNAS updates when available.
| CVE | CVSS | TrueNAS Risk | Reason |
|---|---|---|---|
| CVE-2026-4800 | 9.8 CRITICAL | Negligible | _.template never called; excluded by tree-shaking |
| CVE-2025-13465 | 7.4 HIGH | Low | _.omit used but with non-attacker-controlled paths |
| CVE-2026-2950 | 6.5 MEDIUM | Low | Same as above; property deletion only, no overwrites |
- CVE-2025-13465: lodash prototype pollution via
_.omit - CVE-2026-2950: lodash
_.omit/_.unsetbypass — GHSA-xxjr-mmjv-4gpg - CVE-2026-4800: lodash
_.templatecode injection - lodash 4.18.0 release: https://github.com/lodash/lodash/releases/tag/4.18.0
- Affected package:
truenas_webui—https://github.com/truenas/webui - TrueNAS Security: https://security.truenas.com
This document will be updated if additional lodash call sites with attacker-controlled inputs are identified, or when lodash 4.18.0 is incorporated into the webui dependency tree.