CVE-2025-13465: Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Security readout for executives and security teams
Plain-English summary
This vulnerability affects Lodash path handling in _.unset and _.omit. If an application passes attacker-controlled paths into these functions, an attacker may delete properties from global prototypes. That can break expected JavaScript behavior and cause availability impact. The source says behavior can be deleted, not overwritten, and Lodash 4.17.23 patches the issue.
Executive priority
Treat as high priority for web applications and products that process user-controlled object paths. The public record does not prove active exploitation, but the unauthenticated network CVSS profile and availability impact justify rapid inventory, upgrade planning, and focused validation of reachable Lodash usage.
Technical view
CVE-2025-13465 is CWE-1321 prototype pollution in Lodash _.unset and _.omit for versions 4.0.0 through 4.17.22. Crafted paths can delete methods from global prototypes, causing integrity and availability impact. The CVSS 3.1 score is 8.2 with network, unauthenticated, low-complexity attack conditions. The source states deletion only, not behavior overwrite.
Likely exposure
Exposure is likely where JavaScript applications use vulnerable Lodash versions and pass untrusted user-controlled path strings to _.unset or _.omit. Direct and transitive dependencies should be checked, including the related package names listed in the source bundle. Server-side and client-side impact depends on reachable code paths.
Exploitation context
The bundle does not show CISA KEV listing and does not provide cited evidence of active exploitation. Exploitation requires a reachable use of _.unset or _.omit with crafted path input. The impact is most credible as application breakage or denial of service from deleted prototype methods, not arbitrary overwrite.
Researcher notes
The key constraint is source-confirmed impact: crafted paths can delete prototype properties, but the issue does not overwrite original behavior. Validate reachability, not just package presence. Evidence is incomplete for downstream package version ranges and active exploitation, so avoid claims beyond the bundle.
Mitigation direction
Upgrade Lodash to 4.17.23 where applicable.
Review vendor advisories for packaged or appliance-delivered Lodash copies.
Block or strictly validate untrusted path input before _.unset or _.omit.
Inventory transitive dependencies that bundle vulnerable Lodash versions.
Prioritize internet-facing services with user-controlled object path inputs.
Validation and detection
Check dependency manifests and lockfiles for Lodash 4.0.0 through 4.17.22.
Search code for _.unset and _.omit usage with request-derived path values.
Confirm production bundles do not include vulnerable Lodash copies.
Review Red Hat and Siemens advisories if those products are in scope.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1321: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1321 · source CWE mapping
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.