Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23

Basic Information

ID CVE-2025-13465

Source openjs

Published Jan 21, 2026 at 19:05

Modified Jan 21, 2026 at 19:43

Affected Product

Vendor Lodash

Product Lodash

Version 4.0.0

Affected Versions Lodash Lodash 4.0.0
Lodash-amd Lodash-amd 4.0.0
lodash-es lodash-es 4.0.0
lodash.unset lodash.unset 4.0.0

CWE Classification

CWE-1321

References

github.com /lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

{
    "lastseen": "",
    "description": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23",
    "published": "2026-01-21T19:05:28.846Z",
    "modified": "2026-01-21T19:43:38.268Z",
    "type": "cve",
    "title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions",
    "source": "openjs",
    "references": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
    "id": "CVE-2025-13465",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "Lodash Lodash 4.0.0\nLodash-amd Lodash-amd 4.0.0\nlodash-es lodash-es 4.0.0\nlodash.unset lodash.unset 4.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Lodash",
    "version": "4.0.0",
    "vendor": "Lodash",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions_CVE-2025-13465