CVE-2025-13465
published 2026-01-21CVE-2025-13465: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.54%
71.7th percentile
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-lodash | < node-lodash 4.18.1+dfsg-1 (forky) | node-lodash 4.18.1+dfsg-1 (forky) |
| debian | node-lodash | < node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-10 (forky) | node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-10 (forky) |
| lodash.unset | lodash.unset | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash.unset | lodash.unset | 4.0.0 – 4.5.2 | — |
| lodash | lodash | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash | >= 4.17.23 < 4.18.0 | 4.18.0 |
| lodash | lodash-amd | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash-amd | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-amd | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-amd | >= 4.17.23 < 4.18.0 | 4.18.0 |
| lodash | lodash-es | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash-es | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-es | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-es | >= 4.17.23 < 4.18.0 | 4.18.0 |
| lodash | lodash.unset | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash.unset | >= 4.0.0 | — |
| ubuntu | node-lodash | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Lodash vulnerabilities
vendor_ubuntu·2026-06-09·CVSS 5.3
CVE-2025-13465 [MEDIUM] Lodash vulnerabilities
Title: Lodash vulnerabilities
Summary: Several security issues were fixed in Lodash.
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could
Red Hat
lodash: prototype pollution in _.unset and _.omit functions
vendor_redhat·2026-01-21·CVSS 6.9
CVE-2025-13465 [MEDIUM] CWE-1321 lodash: prototype pollution in _.unset and _.omit functions
lodash: prototype pollution in _.unset and _.omit functions
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.
Statement: This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user
Debian
CVE-2026-2950: node-lodash - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti...
vendor_debian·2026·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950: node-lodash - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti...
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.18.1+dfsg-1)
sid: resolved (fixed in 4.18.1+dfsg-1)
trixie: open
Debian
CVE-2025-13465: node-lodash - Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in t...
vendor_debian·2025·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465: node-lodash - Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in t...
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.17.21+dfsg+~cs8.31.198.20210220-10)
sid: resolved (fixed in 4.17.21+dfsg+~cs8.31.198.20210220-10)
trixie: open
GHSA
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
ghsa·2026-04-01·CVSS 6.9
CVE-2026-2950 [MEDIUM] CWE-1321 lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
### Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
### Patches
This issue is patched in 4.18.0.
### Workarounds
None. Upgrade to the patched version.
OSV
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
osv·2026-04-01·CVSS 6.9
CVE-2026-2950 [MEDIUM] lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
### Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
### Patches
This issue is patched in 4.18.0.
### Workarounds
None. Upgrade to the patched version.
OSV
CVE-2026-2950: Impact: Lodash versions 4
osv·2026-03-31·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950: Impact: Lodash versions 4
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
OSV
CVE-2025-13465: Lodash versions 4
osv·2026-01-21·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465: Lodash versions 4
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
GHSA
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
ghsa·2026-01-21
CVE-2025-13465 [MEDIUM] CWE-1321 Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
### Patches
This issue is patched on 4.17.23.
OSV
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
osv·2026-01-21
CVE-2025-13465 [MEDIUM] Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
### Patches
This issue is patched on 4.17.23.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
bugzilla·2026-03-31·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Bugzilla
CVE-2025-13465 cockpit-image-builder: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 cockpit-image-builder: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 cockpit-image-builder: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained vers
Bugzilla
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [epel-8]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [epel-8]
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-a8a5f6b41b
---
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.
Bugzilla
CVE-2025-13465 jowl: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 jowl: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 jowl: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Tracking upstream https://github.com/daxelrod/jowl/pull/60 , will likely be able to release next week both upstream and in Fedora.
As Jowl is primarily a tool for users to run their own arbitrary code, I have trouble thinking of a threat model in which this is unknowingly exploitable.
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy t
Bugzilla
CVE-2025-13465 thunderbird: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 thunderbird: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 thunderbird: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chang
Bugzilla
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This comes from the lodash JavaScript library. I'm not really sure how this impacts PyTorch, but it must be present in one of our build inputs or outputs?
---
I'm closing with the view that while this may be present in build inputs, as far as I am aware this JavaScript Library (lodash) does not appear in the Python code or compiled objects output by our build process.
Bugzilla
CVE-2025-13465 mozjs115: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 mozjs115: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 mozjs115: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change t
Bugzilla
CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-43]
bugzilla·2026-01-26·CVSS 5.3
CVE-2025-13465 [MEDIUM] CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-43]
CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
subscription-manager-cockpit-0:14.1-1.fc43.noarch is unaffected:
[root@fedora-43-127-0-0-2-2201 ~]# rpm -q --provides subscription-manager-cockpit
application()
application(subscription-manager-cockpit.desktop)
bundled(npm(@patternfly/react-core)) = 6.4.1
bundled(npm(@patternfly/react-icons)) = 6.4.0
bundled(npm(@patternfly/react-styles)) = 6.4.0
bundled(npm(@patternfly/react-table)) = 6.4.1
bundled(npm(@patternfly/react-tokens)) = 6.4.0
bundled(n
Bugzilla
CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Reported upstream: https://github.com/jupyterlab/jupyterlab/issues/18394
---
Fixed upstream in: https://github.com/jupyterlab/jupyterlab/commit/605c74633b362be94ee620a9b59792fa92a2914a
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug wil
Bugzilla
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-13465 firefox: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 firefox: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 firefox: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-13465 magicmirror-module-onthisday: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 magicmirror-module-onthisday: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 magicmirror-module-onthisday: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintain
Bugzilla
CVE-2025-13465 forgejo: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 forgejo: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 forgejo: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-13465 onnxruntime: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 onnxruntime: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 onnxruntime: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chang
Bugzilla
CVE-2025-13465 magicmirror: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 magicmirror: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 magicmirror: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chang
Bugzilla
CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-43]
bugzilla·2026-01-26·CVSS 5.3
CVE-2025-13465 [MEDIUM] CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-43]
CVE-2025-13465 jupyterlab: prototype pollution in _.unset and _.omit functions [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Reported upstream: https://github.com/jupyterlab/jupyterlab/issues/18394
---
Fixed upstream in: https://github.com/jupyterlab/jupyterlab/commit/605c74633b362be94ee620a9b59792fa92a2914a
---
lodash is partially bundled but only internal HashMap utilities are included. The _.unset/_.omit functions (and their internals baseUnset/baseGet/castPath) are absent from the static bundle. Not exploitable.
Bugzilla
CVE-2025-13465 grafana-pcp: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 grafana-pcp: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 grafana-pcp: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chang
Bugzilla
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-8]
bugzilla·2026-01-26·CVSS 5.3
CVE-2025-13465 [MEDIUM] CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-8]
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2025-13465 h3: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 h3: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 h3: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 've
Bugzilla
CVE-2025-13465 ceph: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 ceph: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 ceph: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the '
Bugzilla
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-9]
bugzilla·2026-01-26·CVSS 5.3
CVE-2025-13465 [MEDIUM] CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-9]
CVE-2025-13465 glances: prototype pollution in _.unset and _.omit functions [epel-9]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2025-13465 icecat: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 icecat: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 icecat: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the
Bugzilla
CVE-2025-13465 grafana: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 grafana: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 grafana: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change th
Bugzilla
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-43]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-43]
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This comes from the lodash JavaScript library. I'm not really sure how this impacts PyTorch, but it must be present in one of our build inputs or outputs?
---
I'm closing with the view that while this may be present in build inputs, as far as I am aware this JavaScript Library (lodash) does not appear in the Python code or compiled objects output by our build process.
Bugzilla
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [epel-10]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [epel-10]
CVE-2025-13465 python-torch: prototype pollution in _.unset and _.omit functions [epel-10]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This comes from the lodash JavaScript library. I'm not really sure how this impacts PyTorch, but it must be present in one of our build inputs or outputs?
---
I'm closing with the view that while this may be present in build inputs, as far as I am aware this JavaScript Library (lodash) does not appear in the Python code or compiled objects output by our build process.
Bugzilla
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-43]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-43]
CVE-2025-13465 ansible: prototype pollution in _.unset and _.omit functions [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-a8a5f6b41b
---
FEDORA-2026-a8a5f6b41b (ansible-13.7.0-1.fc45 and ansible-core-2.20.6-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.
Bugzilla
CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-42]
bugzilla·2026-01-26·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-42]
CVE-2025-13465 subscription-manager-cockpit: prototype pollution in _.unset and _.omit functions [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintain
Bugzilla
CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
bugzilla·2026-01-21·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Discussion:
This issue has been addressed in the following products:
Cryostat 4 on RHEL 9
Via RHSA-2026:1845 https://access.redhat.com/errata/RHSA-2026:1845
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:2438 https://access.redhat.com/errata/RHSA-2026:2438
---
This issue has been addressed in the following products:
Wiz
CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2950 :
JavaScript vulnerability analysis and mitigation
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg ) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Source : NVD
## 6.5
Score
Published March 31, 2026
S
Wiz
CVE-2025-13465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13465 :
JavaScript vulnerability analysis and mitigation
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ipa-server-trust-ad
python3-jupytex
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpghttps://access.redhat.com/errata/RHSA-2026:11414https://access.redhat.com/errata/RHSA-2026:13542https://access.redhat.com/errata/RHSA-2026:13548https://access.redhat.com/errata/RHSA-2026:13829https://access.redhat.com/errata/RHSA-2026:14774https://access.redhat.com/errata/RHSA-2026:14870https://access.redhat.com/errata/RHSA-2026:14871https://access.redhat.com/errata/RHSA-2026:15091https://access.redhat.com/errata/RHSA-2026:17469https://access.redhat.com/errata/RHSA-2026:1845https://access.redhat.com/errata/RHSA-2026:18480https://access.redhat.com/errata/RHSA-2026:18868https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:20042https://access.redhat.com/errata/RHSA-2026:20088https://access.redhat.com/errata/RHSA-2026:2078https://access.redhat.com/errata/RHSA-2026:2119https://access.redhat.com/errata/RHSA-2026:2145https://access.redhat.com/errata/RHSA-2026:2147https://access.redhat.com/errata/RHSA-2026:2148https://access.redhat.com/errata/RHSA-2026:2149https://access.redhat.com/errata/RHSA-2026:21658https://access.redhat.com/errata/RHSA-2026:24331https://access.redhat.com/errata/RHSA-2026:2438https://access.redhat.com/errata/RHSA-2026:2452https://access.redhat.com/errata/RHSA-2026:2462https://access.redhat.com/errata/RHSA-2026:2465https://access.redhat.com/errata/RHSA-2026:2469https://access.redhat.com/errata/RHSA-2026:2484https://access.redhat.com/errata/RHSA-2026:25089https://access.redhat.com/errata/RHSA-2026:2651https://access.redhat.com/errata/RHSA-2026:2661https://access.redhat.com/errata/RHSA-2026:2672https://access.redhat.com/errata/RHSA-2026:2675https://access.redhat.com/errata/RHSA-2026:2694https://access.redhat.com/errata/RHSA-2026:2816https://access.redhat.com/errata/RHSA-2026:2817https://access.redhat.com/errata/RHSA-2026:2818https://access.redhat.com/errata/RHSA-2026:2819https://access.redhat.com/errata/RHSA-2026:2900https://access.redhat.com/errata/RHSA-2026:2926https://access.redhat.com/errata/RHSA-2026:2984https://access.redhat.com/errata/RHSA-2026:2990https://access.redhat.com/errata/RHSA-2026:3087https://access.redhat.com/errata/RHSA-2026:33154https://access.redhat.com/errata/RHSA-2026:33371https://access.redhat.com/errata/RHSA-2026:3422https://access.redhat.com/errata/RHSA-2026:3710https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:3825https://access.redhat.com/errata/RHSA-2026:3869https://access.redhat.com/errata/RHSA-2026:3870https://access.redhat.com/errata/RHSA-2026:3874https://access.redhat.com/errata/RHSA-2026:3884https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/errata/RHSA-2026:3962https://access.redhat.com/errata/RHSA-2026:4423https://access.redhat.com/errata/RHSA-2026:4466https://access.redhat.com/errata/RHSA-2026:4467https://access.redhat.com/errata/RHSA-2026:4630https://access.redhat.com/errata/RHSA-2026:4782https://access.redhat.com/errata/RHSA-2026:5633https://access.redhat.com/errata/RHSA-2026:5636https://access.redhat.com/errata/RHSA-2026:6192https://access.redhat.com/errata/RHSA-2026:6288https://access.redhat.com/errata/RHSA-2026:6497https://access.redhat.com/errata/RHSA-2026:6567https://access.redhat.com/errata/RHSA-2026:8218https://access.redhat.com/errata/RHSA-2026:8229https://access.redhat.com/errata/RHSA-2026:9848https://access.redhat.com/security/cve/CVE-2025-13465https://bugzilla.redhat.com/show_bug.cgi?id=2431740https://cert-portal.siemens.com/productcert/html/ssa-253495.htmlhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-13465.json
2026-01-21
Published