VYPR
Medium severity5.3OSV Advisory· Published Jan 21, 2026· Updated Jun 2, 2026

CVE-2025-13465

CVE-2025-13465

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lodashnpm
>= 4.0.0, < 4.17.234.17.23
lodash.unsetnpm
>= 4.0.0, <= 4.5.2
lodash-esnpm
>= 4.0.0, < 4.17.234.17.23
lodash-amdnpm
>= 4.0.0, < 4.17.234.17.23

Affected products

241

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.