LiveActive security incident?Get immediate response
CVE Record

CVE-2025-13465: Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

HighCVSS 8.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This vulnerability affects Lodash path handling in _.unset and _.omit. If an application passes attacker-controlled paths into these functions, an attacker may delete properties from global prototypes. That can break expected JavaScript behavior and cause availability impact. The source says behavior can be deleted, not overwritten, and Lodash 4.17.23 patches the issue.

Executive priority

Treat as high priority for web applications and products that process user-controlled object paths. The public record does not prove active exploitation, but the unauthenticated network CVSS profile and availability impact justify rapid inventory, upgrade planning, and focused validation of reachable Lodash usage.

Technical view

CVE-2025-13465 is CWE-1321 prototype pollution in Lodash _.unset and _.omit for versions 4.0.0 through 4.17.22. Crafted paths can delete methods from global prototypes, causing integrity and availability impact. The CVSS 3.1 score is 8.2 with network, unauthenticated, low-complexity attack conditions. The source states deletion only, not behavior overwrite.

Likely exposure

Exposure is likely where JavaScript applications use vulnerable Lodash versions and pass untrusted user-controlled path strings to _.unset or _.omit. Direct and transitive dependencies should be checked, including the related package names listed in the source bundle. Server-side and client-side impact depends on reachable code paths.

Exploitation context

The bundle does not show CISA KEV listing and does not provide cited evidence of active exploitation. Exploitation requires a reachable use of _.unset or _.omit with crafted path input. The impact is most credible as application breakage or denial of service from deleted prototype methods, not arbitrary overwrite.

Researcher notes

The key constraint is source-confirmed impact: crafted paths can delete prototype properties, but the issue does not overwrite original behavior. Validate reachability, not just package presence. Evidence is incomplete for downstream package version ranges and active exploitation, so avoid claims beyond the bundle.

Mitigation direction

  • Upgrade Lodash to 4.17.23 where applicable.
  • Review vendor advisories for packaged or appliance-delivered Lodash copies.
  • Block or strictly validate untrusted path input before _.unset or _.omit.
  • Inventory transitive dependencies that bundle vulnerable Lodash versions.
  • Prioritize internet-facing services with user-controlled object path inputs.

Validation and detection

  • Check dependency manifests and lockfiles for Lodash 4.0.0 through 4.17.22.
  • Search code for _.unset and _.omit usage with request-derived path values.
  • Confirm production bundles do not include vulnerable Lodash copies.
  • Review Red Hat and Siemens advisories if those products are in scope.
  • Document whether reachable paths accept unauthenticated input.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1321: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-13465 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.2 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
3ADP providers
43Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.2CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H3.94.2redhat-SADP
6.9CVSS 4.0MediumCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:Popenjs

Vulnerability scoring details

Base CVSS 4.0 score

6.9Medium
CVSS 4.0 vector shape for CVE-2025-13465Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
redhat-SADPlodash: prototype pollution in _.unset and _.omit functions
other:Red Hat severity ratingcvssV3_1
  • 2026-01-21T20:01:28.774Z: Reported to Red Hat.
  • 2026-01-21T19:05:28.846Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LodashLodashlodash, 4.0.0unaffected
Lodash-amdLodash-amd4.0.0unaffected
lodash-eslodash-es4.0.0unaffected
lodash.unsetlodash.unset4.0.0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1321 · source CWE mapping

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.