CVE-2025-13465

MEDIUM

lodash 4.0.0-4.17.22 - Prototype Pollution via _.unset and _.omit Functions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-13465. PoCs published by jaytarr-geo.

AI-analyzed exploit summary The repository contains only a basic Next.js project setup with no exploit code or technical details related to CVE-2025-13465. It lacks any demonstration of the vulnerability or analysis.

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Exploits (1)

nomisec STUB
by jaytarr-geo · poc
https://github.com/jaytarr-geo/nextjs-lodash-cve-2025-13465-repro

The repository contains only a basic Next.js project setup with no exploit code or technical details related to CVE-2025-13465. It lacks any demonstration of the vulnerability or analysis.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Next.js (version unspecified)
No auth needed
Prerequisites: None
devstral-2 · analyzed Mar 11, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0003
EPSS Percentile 8.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-1321
Status published
Products (9)
Lodash/Lodash 4.0.0 - 4.17.22
lodash/lodash 4.0.0 - 4.17.23
Lodash-amd/Lodash-amd 4.0.0 - 4.17.22
lodash-es/lodash-es 4.0.0 - 4.17.22
lodash.unset/lodash.unset 4.0.0
npm/lodash 4.0.0 - 4.17.23npm
npm/lodash-amd 4.0.0 - 4.17.23npm
npm/lodash-es 4.0.0 - 4.17.23npm
npm/lodash.unset 4.0.0 - 4.5.2npm
Published Jan 21, 2026
Tracked Since Feb 18, 2026