CVE-2025-13465

MEDIUM

NPM Lodash < 4.17.23 - Prototype Pollution

Title source: rule

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Exploits (1)

nomisec STUB

by jaytarr-geo · poc

https://github.com/jaytarr-geo/nextjs-lodash-cve-2025-13465-repro

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-1321

Status published

Products (5)

lodash/lodash 4.0.0 - 4.17.23

npm/lodash 4.0.0 - 4.17.23npm

npm/lodash-amd 4.0.0 - 4.17.23npm

npm/lodash-es 4.0.0 - 4.17.23npm

npm/lodash.unset 4.0.0npm

Published Jan 21, 2026

Tracked Since Feb 18, 2026