CVE Catalog

CVE-2025-13465

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.54%

72th percentile - higher than 72% of all known CVEs

Summary

A vulnerability in Lodash versions 4.0.0 through 4.17.22 allows prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths that cause Lodash to delete methods from global prototypes.

Risk Assessment

The risk involves the potential deletion of critical methods from object prototypes, which can lead to unexpected application behavior, errors, or denial of service (DoS). The issue does not allow overwriting behavior, but deleting methods can disrupt system functionality.

Recommendation

It is recommended to immediately update Lodash to version 4.17.23 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Vulnerability data from NVD (NIST) · CISA KEV · EPSS