Bug 2432961

Summary: CVE-2025-13465 cockpit-podman: prototype pollution in _.unset and _.omit functions [fedora-42]
Product: [Fedora] Fedora Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: cockpit-podmanAssignee: Matej Marušák <mmarusak>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 42CC: jvanderwaa, kkoukiou, mmarusak, mpitt
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["2207a801-158d-4213-ada5-49f943885c4d"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-27 14:58:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2431740    

Description Guilherme de Almeida Suckevicz 2026-01-26 18:43:22 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Martin Pitt 2026-01-27 14:58:51 UTC 
Same as bug #2432957.

Such kinds of issues are not exploitable in Cockpit due to its structure. Cockpit's web server is an isolated world, it only knows about cockpit on one server, and can't go anywhere else. The entire JS is loaded from the target machine, so that already has full control over what happens – if an attacker has that amount of control over a target machine, they can serve literally anything as cockpit page which the browser will happily run. You don't need a vulnerability for that, just put your exploit into the overview page or anywhere else. This applies to an even higher degree to situations like Anaconda, where you have to trust the installer environment and hardware by definition.

On top of that, the affected code is not even contained in the bundle, I checked with grep -Er '_omit|_unset' dist/ in a development build. Due to tree-shaking, only the parts of lodash that the PatternFly react-table project actually uses are present in the bundle.