CVE-2025-13465 — Prototype Pollution in Lodash

CWE-1321 — Prototype Pollution13 documents8 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 91.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lodash Lodash Lodash-amd Lodash Lodash-es +4 more

Timeline

PublishedJan 21

Latest updateApr 1

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H

Affected Packages10 packages

▶CVEListV5lodash/lodash.unset4.0.0 — 4.18.0

▶npmlodash.unset/lodash.unset4.0.0 — 4.5.2

▶CVEListV5lodash.unset/lodash.unset4.0.0

▶CVEListV5lodash/lodash4.17.23 — 4.18.0+1

▶NVDlodash/lodash4.0.0 — 4.17.23

🔴Vulnerability Details

GHSA

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`↗2026-04-01

▶

OSV

CVE-2025-13465: Lodash versions 4↗2026-01-21

▶

GHSA

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions↗2026-01-21

▶

CVEList

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions↗2026-01-21

▶

OSV

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions↗2026-01-21

▶

📋Vendor Advisories

Red Hat

lodash: prototype pollution in _.unset and _.omit functions↗2026-01-21

▶

Debian

CVE-2025-13465: node-lodash - Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in t...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-13465 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-42]↗2026-01-26

▶

Bugzilla

CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-43]↗2026-01-26

▶

Bugzilla

CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [epel-10]↗2026-01-26

▶