Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

GHSA-xxjr-mmjv-4gpg · CVE-2025-13465

Published Jan 21, 2026 · Modified Jun 9, 2026

Description

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

References

WEB https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13465
WEB https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
WEB https://cert-portal.siemens.com/productcert/html/ssa-253495.html
PACKAGE https://github.com/lodash/lodash

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes