CVE-2025-13465 - Vulnerability Details - OpenCVE

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

History

Wed, 21 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Title		Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions
Weaknesses		CWE-1321
References		https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P'}`

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-01-21T19:05:28.846Z

Updated: 2026-01-21T19:43:38.268Z

Reserved: 2025-11-20T02:16:12.128Z

Link: CVE-2025-13465

Vulnrichment

Updated: 2026-01-21T19:43:23.093Z

NVD

Status : Received

Published: 2026-01-21T20:16:05.250

Modified: 2026-01-21T20:16:05.250

Link: CVE-2025-13465

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13465", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-11-20T02:16:12.128Z", "datePublished": "2026-01-21T19:05:28.846Z", "dateUpdated": "2026-01-21T19:43:38.268Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["https://github.com/lodash/lodash"], "packageName": "lodash", "product": "Lodash", "repo": "https://github.com/lodash/lodash", "vendor": "Lodash", "versions": [{"lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["https://github.com/lodash/lodash"], "product": "Lodash-amd", "repo": "https://github.com/lodash/lodash", "vendor": "Lodash-amd", "versions": [{"lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["https://github.com/lodash/lodash"], "product": "lodash-es", "repo": "https://github.com/lodash/lodash", "vendor": "lodash-es", "versions": [{"lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["https://github.com/lodash/lodash"], "product": "lodash.unset", "repo": "https://github.com/lodash/lodash", "vendor": "lodash.unset", "versions": [{"status": "affected", "version": "4.0.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lukas Euler"}, {"lang": "en", "type": "analyst", "value": "Jordan Harband"}, {"lang": "en", "type": "remediation reviewer", "value": "Micha\u0142 Lipi\u0144ski"}, {"lang": "en", "type": "remediation developer", "value": "Ulises Gasc\u00f3n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the <code>_.unset</code> and <code>_.omit</code> functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.</p><p>The issue permits deletion of properties but does not allow overwriting their original behavior.</p><p>This issue is patched on 4.17.23</p><br>"}], "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"}], "impacts": [{"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "CAPEC-77 Manipulating User-Controlled Variables"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-21T19:05:28.846Z"}, "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "source": {"advisory": "GHSA-xxjr-mmjv-4gpg", "discovery": "EXTERNAL"}, "title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T19:43:10.513400Z", "id": "CVE-2025-13465", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:43:38.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13465", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T19:43:10.513400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:43:23.093Z"}}], "cna": {"title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions", "source": {"advisory": "GHSA-xxjr-mmjv-4gpg", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Lukas Euler"}, {"lang": "en", "type": "analyst", "value": "Jordan Harband"}, {"lang": "en", "type": "remediation reviewer", "value": "Micha\u0142 Lipi\u0144ski"}, {"lang": "en", "type": "remediation developer", "value": "Ulises Gasc\u00f3n"}], "impacts": [{"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "CAPEC-77 Manipulating User-Controlled Variables"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/lodash/lodash", "vendor": "Lodash", "modules": ["https://github.com/lodash/lodash"], "product": "Lodash", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.17.22"}], "packageName": "lodash", "defaultStatus": "unaffected"}, {"repo": "https://github.com/lodash/lodash", "vendor": "Lodash-amd", "modules": ["https://github.com/lodash/lodash"], "product": "Lodash-amd", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.17.22"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/lodash/lodash", "vendor": "lodash-es", "modules": ["https://github.com/lodash/lodash"], "product": "lodash-es", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "semver", "lessThanOrEqual": "4.17.22"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/lodash/lodash", "vendor": "lodash.unset", "modules": ["https://github.com/lodash/lodash"], "product": "lodash.unset", "versions": [{"status": "affected", "version": "4.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23", "supportingMedia": [{"type": "text/html", "value": "<p>Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the <code>_.unset</code> and <code>_.omit</code> functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.</p><p>The issue permits deletion of properties but does not allow overwriting their original behavior.</p><p>This issue is patched on 4.17.23</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-21T19:05:28.846Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13465", "state": "PUBLISHED", "dateUpdated": "2026-01-21T19:43:38.268Z", "dateReserved": "2025-11-20T02:16:12.128Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-01-21T19:05:28.846Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"}], "id": "CVE-2025-13465", "lastModified": "2026-01-21T20:16:05.250", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-01-21T20:16:05.250", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}