CVE-2025-13465 – Lodash versions 4.0.0 through 4.17.22 contain a... (How to Fix)

Q: What is the severity of CVE-2025-13465?

CVE-2025-13465 has a CVSS score of 5.3 (MEDIUM). Lodash versions 4.0.0 through 4.17.22 contain a prototype pollution vulnerability in _.unset and _.omit functions. Attackers can craft paths to delete methods from global prototypes, potentially breaking application functionality. This affects any application using vulnerable Lodash versions.

📋 TL;DR

Lodash versions 4.0.0 through 4.17.22 contain a prototype pollution vulnerability in _.unset and _.omit functions. Attackers can craft paths to delete methods from global prototypes, potentially breaking application functionality. This affects any application using vulnerable Lodash versions.

💻 Affected Systems

Products:

Lodash

Versions: 4.0.0 through 4.17.22

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using _.unset or _.omit functions with attacker-controlled input.

📦 What is this software?

Lodash by Lodash

View all CVEs affecting Lodash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical application functionality breaks due to deletion of essential prototype methods, causing denial of service or unexpected behavior.

🟠

Likely Case

Application instability or crashes when specific functionality relying on deleted prototype methods is invoked.

🟢

If Mitigated

Limited impact if input validation prevents malicious path manipulation.

🌐 Internet-Facing: MEDIUM - Requires attacker to control input to vulnerable functions, but many web applications accept user input.

🏢 Internal Only: LOW - Internal applications typically have more controlled input sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to control input passed to vulnerable functions. Proof-of-concept available in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.17.23

Vendor Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Restart Required: No

Instructions:

1. Update Lodash dependency to version 4.17.23 or later. 2. Run 'npm update lodash' or 'yarn upgrade lodash'. 3. Rebuild and redeploy application.

🔧 Temporary Workarounds

Input validation

all

Validate and sanitize all user input before passing to _.unset or _.omit functions.

🧯 If You Can't Patch

Avoid using _.unset and _.omit functions with untrusted input
Implement strict input validation for all paths passed to Lodash functions

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list lodash' to see installed version.

Check Version:

npm list lodash | grep lodash

Verify Fix Applied:

Confirm lodash version is 4.17.23 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Application errors related to missing prototype methods
Unexpected behavior in Lodash function calls

Network Indicators:

Unusual input patterns in API calls to endpoints using Lodash

SIEM Query:

Search for application logs containing 'TypeError', 'undefined', or 'not a function' errors following Lodash function calls.

📊 Metadata

CVE ID: CVE-2025-13465

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-1321

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: January 21, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13465, you might also want to check these: