cbcvebase.
CVE-2025-13465
published 2026-01-21

CVE-2025-13465: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause…

PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.54%
71.7th percentile
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Affected

19 ranges
VendorProductVersion rangeFixed in
debiannode-lodash< node-lodash 4.18.1+dfsg-1 (forky)node-lodash 4.18.1+dfsg-1 (forky)
debiannode-lodash< node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-10 (forky)node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-10 (forky)
lodash.unsetlodash.unset>= 4.0.0 < 4.18.04.18.0
lodash.unsetlodash.unset4.0.0 – 4.5.2
lodashlodash>= 0 < 4.18.04.18.0
lodashlodash>= 4.0.0 < 4.17.234.17.23
lodashlodash>= 4.0.0 < 4.17.234.17.23
lodashlodash>= 4.17.23 < 4.18.04.18.0
lodashlodash-amd>= 0 < 4.18.04.18.0
lodashlodash-amd>= 4.0.0 < 4.17.234.17.23
lodashlodash-amd>= 4.0.0 < 4.17.234.17.23
lodashlodash-amd>= 4.17.23 < 4.18.04.18.0
lodashlodash-es>= 0 < 4.18.04.18.0
lodashlodash-es>= 4.0.0 < 4.17.234.17.23
lodashlodash-es>= 4.0.0 < 4.17.234.17.23
lodashlodash-es>= 4.17.23 < 4.18.04.18.0
lodashlodash.unset>= 4.0.0 < 4.18.04.18.0
lodashlodash.unset>= 4.0.0
ubuntunode-lodash

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.