CVE-2025-13465

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg	Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-253495.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

History

02 Jun 2026, 14:16

Type	Values Removed	Values Added
References		() https://cert-portal.siemens.com/productcert/html/ssa-253495.html -
Summary		(es) Las versiones de Lodash 4.0.0 a 4.17.22 son vulnerables a la contaminación de prototipos en las funciones _.unset y _.omit. Un atacante puede pasar rutas manipuladas que hacen que Lodash elimine métodos de prototipos globales. El problema permite la eliminación de propiedades, pero no permite sobrescribir su comportamiento original. Este problema está parcheado en 4.17.23

17 Feb 2026, 17:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:lodash:lodash::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Lodash Lodash lodash
References	~~() https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg -~~	() https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg - Vendor Advisory

21 Jan 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-21 20:16

Updated : 2026-06-02 14:16

NVD link : CVE-2025-13465

Mitre link : CVE-2025-13465

CVE.ORG link : CVE-2025-13465

JSON object : View

Products Affected

lodash

lodash

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2025-13465", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-21T20:16:05.250", "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", "tags": ["Vendor Advisory"], "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"}, {"lang": "es", "value": "Las versiones de Lodash 4.0.0 a 4.17.22 son vulnerables a la contaminaci\u00f3n de prototipos en las funciones _.unset y _.omit. Un atacante puede pasar rutas manipuladas que hacen que Lodash elimine m\u00e9todos de prototipos globales.\n\nEl problema permite la eliminaci\u00f3n de propiedades, pero no permite sobrescribir su comportamiento original.\n\nEste problema est\u00e1 parcheado en 4.17.23"}], "lastModified": "2026-06-02T14:16:28.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0F9E287B-784B-472D-9FA2-1469E4C8A810", "versionEndExcluding": "4.17.23", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}