Prototype Pollution Vulnerability in Lodash by Lodash
CVE-2025-13465

6.9MEDIUM

Key Information:

Vendor: Lodash
Status: Lodash; Lodash-amd; Lodash-es; Lodash.unset
Vendor: CVE Published:; 21 January 2026

What is CVE-2025-13465?

Versions of Lodash from 4.0.0 to 4.17.22 are susceptible to prototype pollution via the _.unset and _.omit functions. Malicious users can exploit this by inputting carefully crafted paths, leading to the deletion of methods from global prototypes. Although this vulnerability allows for the removal of properties, it does not permit the alteration of their original functionality. The issue has been resolved in Lodash version 4.17.23. For more information, refer to the security advisory on Lodash's GitHub page.

Affected Version(s)

Lodash 4.0.0 <= 4.17.22

Lodash-amd 4.0.0 <= 4.17.22

lodash-es 4.0.0 <= 4.17.22

References

https://github.com/lodash/lodash/security/advisories/GHSA...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Nov 20, 2025

Credit

Lukas Euler

Jordan Harband

Michał Lipiński

Ulises Gascón

CVE-2025-13465 Data

JSON