Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions
Summary
| CVE | CVE-2025-13465 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-21 20:16:05 UTC |
| Updated | 2026-07-10 12:16:24 UTC |
| Description | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.015350000 probability, percentile 0.718910000 (date 2026-07-12)
Problem Types: CWE-1321 | CWE-1321 CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P |
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | ADP | CVSS | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:34100 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:18480 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3960 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3962 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3958 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3825 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5636 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:2818 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2816 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17469 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2469 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2465 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33154 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4782 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14871 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2675 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4423 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21658 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36882 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24331 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2119 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3782 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14774 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2145 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2147 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2149 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20088 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3710 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8218 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4466 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2984 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2484 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11414 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2926 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2694 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:1845 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33371 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2661 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6288 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8229 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4467 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15091 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| cert-portal.siemens.com/productcert/html/ssa-253495.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| access.redhat.com/errata/RHSA-2026:2148 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3422 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13829 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20042 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3869 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13548 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6567 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13542 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:18868 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2452 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2900 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9848 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4630 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2462 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6192 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2819 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2817 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2438 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-13465 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2990 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19712 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3087 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2672 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14870 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3884 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2078 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6497 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3870 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3874 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5633 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-13465.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Lukas Euler (en)
CNA: Jordan Harband (en)
CNA: Michał Lipiński (en)
CNA: Ulises Gascón (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-21T20:01:28.774Z | Reported to Red Hat. |
| ADP | 2026-01-21T19:05:28.846Z | Made public. |
Solutions
ADP: RHSA-2026:33371: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server
ADP: RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:1845: Cryostat 4 on RHEL 9
ADP: RHSA-2026:18480: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:24331: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:18868: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:4782: Cluster Observability Operator 1.4.0
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:2818: Red Hat Enterprise Linux High Availability EUS (v. 10.0)
ADP: RHSA-2026:2438: Red Hat Enterprise Linux High Availability (v. 10)
ADP: RHSA-2026:2462: Red Hat Enterprise Linux High Availability AUS (v.8.4), Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)
ADP: RHSA-2026:2469: Red Hat Enterprise Linux High Availability E4S (v.8.6), Red Hat Enterprise Linux High Availability TUS (v.8.6)
ADP: RHSA-2026:2465: Red Hat Enterprise Linux High Availability E4S (v.8.8), Red Hat Enterprise Linux High Availability TUS (v.8.8)
ADP: RHSA-2026:2484: Red Hat Enterprise Linux High Availability E4S (v.9.0), Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)
ADP: RHSA-2026:2819: Red Hat Enterprise Linux High Availability E4S (v.9.2), Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)
ADP: RHSA-2026:2817: Red Hat Enterprise Linux High Availability EUS (v.9.4), Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)
ADP: RHSA-2026:2816: Red Hat Enterprise Linux High Availability EUS (v.9.6), Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)
ADP: RHSA-2026:2452: Red Hat Enterprise Linux High Availability (v. 9), Red Hat Enterprise Linux Resilient Storage (v. 9)
ADP: RHSA-2026:2900: Network Observability (NETOBSERV) 1.11.2
ADP: RHSA-2026:5633: Red Hat Advanced Cluster Management for Kubernetes 2.12
ADP: RHSA-2026:8229: Red Hat Advanced Cluster Management for Kubernetes 2.13
ADP: RHSA-2026:36882: Red Hat Advanced Cluster Management for Kubernetes 2.14
ADP: RHSA-2026:13548: Red Hat Advanced Cluster Management for Kubernetes 2.15
ADP: RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10
ADP: RHSA-2026:4466: Red Hat Advanced Cluster Security for Kubernetes 4.8
ADP: RHSA-2026:4467: Red Hat Advanced Cluster Security for Kubernetes 4.9
ADP: RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:33154: Red Hat Ceph Storage 7.1
ADP: RHSA-2026:4630: Red Hat Data Grid 8.6.0
ADP: RHSA-2026:2675: Red Hat Developer Hub 1.8
ADP: RHSA-2026:2694: Red Hat Discovery 2
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:3782: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:19712: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:3870: Red Hat OpenShift Container Platform 4.12
ADP: RHSA-2026:3422: Red Hat OpenShift Container Platform 4.13
ADP: RHSA-2026:2990: Red Hat OpenShift Container Platform 4.14
ADP: RHSA-2026:15091: Red Hat OpenShift Container Platform 4.14
ADP: RHSA-2026:4423: Red Hat OpenShift Container Platform 4.15
ADP: RHSA-2026:14774: Red Hat OpenShift Container Platform 4.15
ADP: RHSA-2026:2661: Red Hat OpenShift Container Platform 4.16
ADP: RHSA-2026:20088: Red Hat OpenShift Container Platform 4.16
ADP: RHSA-2026:34100: Red Hat OpenShift Container Platform 4.17
ADP: RHSA-2026:2672: Red Hat OpenShift Container Platform 4.17
ADP: RHSA-2026:21658: Red Hat OpenShift Container Platform 4.18
ADP: RHSA-2026:2078: Red Hat OpenShift Container Platform 4.18
ADP: RHSA-2026:20042: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:2651: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:17469: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:2119: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:2984: Red Hat OpenShift Container Platform 4.21
ADP: RHSA-2026:6192: Red Hat OpenShift Dev Spaces 3.27
ADP: RHSA-2026:3869: Red Hat OpenShift GitOps 1.17
ADP: RHSA-2026:3874: Red Hat OpenShift GitOps 1.18
ADP: RHSA-2026:3884: Red Hat OpenShift GitOps 1.19
ADP: RHSA-2026:3710: Red Hat OpenShift Pipelines 1.15
ADP: RHSA-2026:3825: Red Hat OpenShift Pipelines 1.2
ADP: RHSA-2026:2145: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:2148: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:2149: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:2147: Red Hat OpenShift Service Mesh 3
ADP: RHSA-2026:6497: Red Hat Quay 3.16
ADP: RHSA-2026:6567: Red Hat Quay 3.16
ADP: RHSA-2026:14870: Red Hat Satellite 6.18
ADP: RHSA-2026:14871: Red Hat Satellite 6.18
ADP: RHSA-2026:6288: Red Hat Satellite 6.18
ADP: RHSA-2026:2926: Red Hat Trusted Artifact Signer 1.2
ADP: RHSA-2026:3087: Red Hat Trusted Artifact Signer 1.3
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
ADP: RHSA-2026:13542: multicluster engine for Kubernetes 2.10
ADP: RHSA-2026:9848: multicluster engine for Kubernetes 2.6
ADP: RHSA-2026:5636: multicluster engine for Kubernetes 2.7
ADP: RHSA-2026:8218: multicluster engine for Kubernetes 2.8
ADP: RHSA-2026:11414: multicluster engine for Kubernetes 2.9
Workarounds
ADP: To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.