CVE-2025-13465

UNKNOWN 0.0

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CWE	CWE-1321
Vendor	lodash
Product	lodash
Published	Jan 21, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for lodash lodash

Be the first to know when new unknown vulnerabilities affecting lodash lodash are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Lodash / Lodash

4.0.0 ≤ 4.17.22

Lodash-amd / Lodash-amd

4.0.0 ≤ 4.17.22

lodash-es / lodash-es

4.0.0 ≤ 4.17.22

lodash.unset / lodash.unset

4.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg cert-portal.siemens.com: https://cert-portal.siemens.com/productcert/html/ssa-253495.html

Credits

Lukas Euler Jordan Harband Michał Lipiński Ulises Gascón