The leaflet module ships a bundled copy of @geoman-io/leaflet-geoman-free at version 2.13.0 (js/leaflet-geoman-free/dist/). This version bundles lodash 4.17.21, which is affected by two security vulnerabilities:

- CVE-2026-2950 (https://nvd.nist.gov/vuln/detail/CVE-2026-2950) — Prototype pollution via _.unset/_.omit (CVSS 5.3 Medium), fixed in lodash 4.18.0
- CVE-2026-4800 (https://nvd.nist.gov/vuln/detail/CVE-2026-4800) — Code injection via template options (CVSS 9.8 Critical), fixed in lodash 4.18.0

@geoman-io/leaflet-geoman-free 2.19.3 ships lodash 4.18.1 and resolves both CVEs.

Steps to reproduce: Check js/leaflet-geoman-free/package.json — lodash is listed as a runtime dependency at 4.17.21. Confirm it is inlined into dist/leaflet-geoman.min.js (search for lodash:"4.17.21" in that file).

Proposed fix: Update the bundled leaflet-geoman-free from 2.13.0 to 2.19.3, rebuild the dist files, and release a new module version.

Issue fork leaflet-3591443

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

youngwolf0 created an issue. See original summary.

youngwolf0 opened merge request !72

  • itamair committed 0d48d7e3 on 10.4.x 
    fix: #3591443 Update bundled leaflet-geoman-free to 2.19.3+ to fix...

itamair closed merge request !72

itamair’s picture

itamair commented
Status: Active » Fixed

thanks @youngwolf0

Going to deploy a new Drupal Leaflet release with all this.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.