Bug 2431740 (CVE-2025-13465)

Summary: CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abokovoy, abrianik, abuckta, adudiak, akostadi, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, anthomas, aoconnor, aschwart, asoldano, bbaranow, bbrownin, bdettelb, bmaxwell, bniver, boliveir, bparees, brasmith, brian.stansberry, bsmejkal, carlmart, caswilli, chfoley, cmah, cochase, darran.lofthouse, dbosanac, dfreiber, dhanak, dhanina, dkuc, dmayorov, dnakabaa, doconnor, dosoudil, dranck, drosa, drow, dymurray, eaguilar, ebaron, ehelms, eric.wittmann, fdeutsch, flucifre, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gmeno, gotiwari, gparvin, groman, hasun, ibek, ibolton, istudens, ivassile, iweiss, jachapma, janstey, jbalunas, jburrell, jcantril, jchui, jfula, jgrulich, jhe, jhorak, jkoehler, jlledo, jmatthew, jmontleo, joehler, jolong, jowilson, jprabhak, jreimann, jrokos, jscholz, juwatts, jwong, kaycoth, kshier, ktsao, kverlaen, lball, lchilton, lcouzens, lphiri, manissin, mbenjamin, mdessi, mhackett, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mskarbek, mstipich, msvehla, mvyas, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, omaciel, ometelka, orabin, oramraz, osousa, pahickey, pantinor, parichar, pberan, pbizzarr, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, progier, psrna, ptisnovs, rchan, rexwhite, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, sfeifer, slucidi, smaestri, smallamp, smullick, snegrini, sostapov, spichugi, sseago, ssidhaye, ssilvert, stcannon, sthirugn, sthorger, stirabos, swoodman, syedriko, tasato, tbordaz, teagle, thason, tmalecek, tom.jenkinson, tpopela, tsedmik, ttakamiy, vashirov, vereddy, veshanka, vkumar, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2432924, 2432925, 2432926, 2432932, 2432933, 2432935, 2432936, 2432942, 2432943, 2432944, 2432947, 2432948, 2432953, 2432955, 2432959, 2432964, 2432965, 2432967, 2432968, 2432969, 2432970, 2432971, 2432972, 2432973, 2432975, 2432976, 2432979, 2432982, 2432991, 2432995, 2432996, 2433000, 2433002, 2433006, 2433010, 2433012, 2433013, 2433016, 2433017, 2433018, 2433019, 2433020, 2433021, 2433022, 2433024, 2433025, 2433028, 2433032, 2433041, 2433043, 2433046, 2433047, 2432919, 2432920, 2432921, 2432922, 2432923, 2432927, 2432928, 2432929, 2432930, 2432931, 2432934, 2432937, 2432938, 2432939, 2432940, 2432941, 2432945, 2432946, 2432949, 2432950, 2432951, 2432952, 2432954, 2432956, 2432957, 2432958, 2432960, 2432961, 2432962, 2432963, 2432966, 2432974, 2432977, 2432978, 2432980, 2432981, 2432983, 2432984, 2432985, 2432986, 2432987, 2432988, 2432989, 2432990, 2432992, 2432993, 2432994, 2432997, 2432998, 2432999, 2433001, 2433003, 2433004, 2433005, 2433007, 2433008, 2433009, 2433011, 2433014, 2433015, 2433023, 2433026, 2433027, 2433029, 2433030, 2433031, 2433033, 2433034, 2433035, 2433036, 2433037, 2433038, 2433039, 2433040, 2433042, 2433044, 2433045, 2433048    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-21 20:01:53 UTC 
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23
Comment 3 errata-xmlrpc 2026-02-03 16:03:14 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:1845 https://access.redhat.com/errata/RHSA-2026:1845
Comment 5 errata-xmlrpc 2026-02-10 12:31:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:2438 https://access.redhat.com/errata/RHSA-2026:2438
Comment 6 errata-xmlrpc 2026-02-10 15:32:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2452 https://access.redhat.com/errata/RHSA-2026:2452
Comment 7 errata-xmlrpc 2026-02-10 17:52:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2462 https://access.redhat.com/errata/RHSA-2026:2462
Comment 8 errata-xmlrpc 2026-02-10 18:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2465 https://access.redhat.com/errata/RHSA-2026:2465
Comment 9 errata-xmlrpc 2026-02-10 19:14:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2469 https://access.redhat.com/errata/RHSA-2026:2469
Comment 10 errata-xmlrpc 2026-02-10 20:13:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2484 https://access.redhat.com/errata/RHSA-2026:2484
Comment 11 errata-xmlrpc 2026-02-17 12:21:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2818 https://access.redhat.com/errata/RHSA-2026:2818
Comment 12 errata-xmlrpc 2026-02-17 12:21:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2816 https://access.redhat.com/errata/RHSA-2026:2816
Comment 13 errata-xmlrpc 2026-02-17 12:34:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2819 https://access.redhat.com/errata/RHSA-2026:2819
Comment 14 errata-xmlrpc 2026-02-17 12:34:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2817 https://access.redhat.com/errata/RHSA-2026:2817
Comment 16 errata-xmlrpc 2026-03-06 10:13:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958