Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions
Summary
| CVE | CVE-2025-13465 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-21 20:16:05 UTC |
| Updated | 2026-06-02 14:16:28 UTC |
| Description | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000280000 probability, percentile 0.082670000 (date 2026-06-08)
Problem Types: CWE-1321 | CWE-1321 CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P |
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Lodash | Lodash | affected 4.0.0 4.17.22 semver | Not specified |
| CNA | Lodash-amd | Lodash-amd | affected 4.0.0 4.17.22 semver | Not specified |
| CNA | Lodash-es | Lodash-es | affected 4.0.0 4.17.22 semver | Not specified |
| CNA | Lodash.unset | Lodash.unset | affected 4.0.0 | Not specified |
| ADP | Siemens | RUGGEDCOM RST2428P | affected V4.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Vendor Advisory |
| cert-portal.siemens.com/productcert/html/ssa-253495.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Lukas Euler (en)
CNA: Jordan Harband (en)
CNA: Michał Lipiński (en)
CNA: Ulises Gascón (en)