Prototype Pollution in Lodash
CVE-2025-13465
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of…
Vulnerability class: Prototype Pollution
EPSS: 0.015 (71.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Lodash — versions 4.0.0
- Lodash-amd — versions 4.0.0
- Lodash-es — versions 4.0.0
- Lodash.unset — versions 4.0.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- ce714d77-add3-4f53-aff5-83d477b104bb (Vendor Advisory)
- 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Frequently asked questions
- What is CVE-2025-13465?
- CVE-2025-13465 is a medium-severity vulnerability in Lodash, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 5.3/10. Published 2026-01-21.
- How severe is CVE-2025-13465?
- Medium severity. CVSS v3 base score is 5.3 out of 10.
- Is CVE-2025-13465 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.