CVE-2025-13465
Prototype Pollution vulnerability in lodash (npm)
What is CVE-2025-13465 About?
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can craft specific paths to delete methods from global prototypes, potentially disrupting application functionality. While deletion is possible, overwriting original behavior is not, which can mitigate the impact in some scenarios, but exploitation can still cause denial of service or unexpected behavior.
Affected Software
- lodash
- >=4.0.0, <4.17.23
- lodash.unset
- >=4.0.0, <=4.5.2
- lodash-es
- >=4.0.0, <4.17.23
- lodash-amd
- >=4.0.0, <4.17.23
Technical Details
The vulnerability lies within the _.unset and _.omit functions of Lodash. These functions are designed to remove properties from objects. However, when an attacker provides a specially crafted path, such as one involving __proto__ or constructor.prototype, these functions can be coerced into deleting properties from global JavaScript prototypes. Although the vulnerability permits only deletion and not overwriting of original prototype behavior, removing critical methods from global prototypes can lead to application crashes, unexpected behavior, or denial of service by making fundamental functions unavailable to other parts of the application.
What is the Impact of CVE-2025-13465?
Successful exploitation may allow attackers to delete methods from global prototypes, which can lead to application crashes or denial of service.
What is the Exploitability of CVE-2025-13465?
Exploitation of this prototype pollution vulnerability requires the ability to supply crafted input (specifically, malicious paths) to the _.unset or _.omit functions in a vulnerable Lodash version. There are typically no authentication or privilege requirements, as long as the attacker can control the input to these functions within the application. This can be a remote or local attack vector, depending on how user input is processed. The complexity is moderate, requiring an understanding of JavaScript prototype chains and how Lodash handles paths. The primary constraint is the attacker's ability to inject controlled data into the arguments of _.unset or _.omit. Risk factors increase in applications that extensively use these Lodash functions with unsanitized user-provided input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-13465?
Available Upgrade Options
- lodash-amd
- >=4.0.0, <4.17.23 → Upgrade to 4.17.23
- lodash-es
- >=4.0.0, <4.17.23 → Upgrade to 4.17.23
- lodash
- >=4.0.0, <4.17.23 → Upgrade to 4.17.23
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
- https://nvd.nist.gov/vuln/detail/CVE-2025-13465
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
- https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
- https://osv.dev/vulnerability/GHSA-xxjr-mmjv-4gpg
- https://github.com/lodash/lodash
What are Similar Vulnerabilities to CVE-2025-13465?
Similar Vulnerabilities: CVE-2020-28500 , CVE-2021-23337 , CVE-2020-8203 , CVE-2019-10744 , CVE-2020-7713
