CVE-2025-13465
MediumCVSS 5.3Exploitation Probability (EPSS)
Elevated risk72th percentile - higher than 72% of all known CVEs
Summary
A vulnerability in Lodash versions 4.0.0 through 4.17.22 allows prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths that cause Lodash to delete methods from global prototypes.
Risk Assessment
The risk involves the potential deletion of critical methods from object prototypes, which can lead to unexpected application behavior, errors, or denial of service (DoS). The issue does not allow overwriting behavior, but deleting methods can disrupt system functionality.
Recommendation
It is recommended to immediately update Lodash to version 4.17.23 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

