2431740 – (CVE-2025-13465) CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Bug 2431740 (CVE-2025-13465) - CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Summary: CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Keywords:
Status:	NEW
Alias:	CVE-2025-13465
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2432924 2432925 2432926 2432932 2432933 2432935 2432936 2432942 2432943 2432944 2432947 2432948 2432953 2432955 2432959 2432964 2432965 2432967 2432968 2432969 2432970 2432971 2432972 2432973 2432975 2432976 2432979 2432982 2432991 2432995 2432996 2433000 2433002 2433006 2433010 2433012 2433013 2433016 2433017 2433018 2433019 2433020 2433021 2433022 2433024 2433025 2433028 2433032 2433041 2433043 2433046 2433047 2432919 2432920 2432921 2432922 2432923 2432927 2432928 2432929 2432930 2432931 2432934 2432937 2432938 2432939 2432940 2432941 2432945 2432946 2432949 2432950 2432951 2432952 2432954 2432956 2432957 2432958 2432960 2432961 2432962 2432963 2432966 2432974 2432977 2432978 2432980 2432981 2432983 2432984 2432985 2432986 2432987 2432988 2432989 2432990 2432992 2432993 2432994 2432997 2432998 2432999 2433001 2433003 2433004 2433005 2433007 2433008 2433009 2433011 2433014 2433015 2433023 2433026 2433027 2433029 2433030 2433031 2433033 2433034 2433035 2433036 2433037 2433038 2433039 2433040 2433042 2433044 2433045 2433048
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-21 20:01 UTC by OSIDB Bzimport
Modified:	2026-03-06 10:13 UTC (History)
CC List:	184 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:1845	None	None	None	2026-02-03 16:03:26 UTC
Red Hat Product Errata	RHSA-2026:2438	None	None	None	2026-02-10 12:31:32 UTC
Red Hat Product Errata	RHSA-2026:2452	None	None	None	2026-02-10 15:32:31 UTC
Red Hat Product Errata	RHSA-2026:2462	None	None	None	2026-02-10 17:52:42 UTC
Red Hat Product Errata	RHSA-2026:2465	None	None	None	2026-02-10 18:23:39 UTC
Red Hat Product Errata	RHSA-2026:2469	None	None	None	2026-02-10 19:14:58 UTC
Red Hat Product Errata	RHSA-2026:2484	None	None	None	2026-02-10 20:13:29 UTC
Red Hat Product Errata	RHSA-2026:2816	None	None	None	2026-02-17 12:22:07 UTC
Red Hat Product Errata	RHSA-2026:2817	None	None	None	2026-02-17 12:35:09 UTC
Red Hat Product Errata	RHSA-2026:2818	None	None	None	2026-02-17 12:21:22 UTC
Red Hat Product Errata	RHSA-2026:2819	None	None	None	2026-02-17 12:34:41 UTC
Red Hat Product Errata	RHSA-2026:3958	None	None	None	2026-03-06 10:13:14 UTC

Description OSIDB Bzimport 2026-01-21 20:01:53 UTC

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23

Comment 3 errata-xmlrpc 2026-02-03 16:03:14 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:1845 https://access.redhat.com/errata/RHSA-2026:1845

Comment 5 errata-xmlrpc 2026-02-10 12:31:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:2438 https://access.redhat.com/errata/RHSA-2026:2438

Comment 6 errata-xmlrpc 2026-02-10 15:32:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2452 https://access.redhat.com/errata/RHSA-2026:2452

Comment 7 errata-xmlrpc 2026-02-10 17:52:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2462 https://access.redhat.com/errata/RHSA-2026:2462

Comment 8 errata-xmlrpc 2026-02-10 18:23:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2465 https://access.redhat.com/errata/RHSA-2026:2465

Comment 9 errata-xmlrpc 2026-02-10 19:14:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2469 https://access.redhat.com/errata/RHSA-2026:2469

Comment 10 errata-xmlrpc 2026-02-10 20:13:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2484 https://access.redhat.com/errata/RHSA-2026:2484

Comment 11 errata-xmlrpc 2026-02-17 12:21:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2818 https://access.redhat.com/errata/RHSA-2026:2818

Comment 12 errata-xmlrpc 2026-02-17 12:21:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2816 https://access.redhat.com/errata/RHSA-2026:2816

Comment 13 errata-xmlrpc 2026-02-17 12:34:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2819 https://access.redhat.com/errata/RHSA-2026:2819

Comment 14 errata-xmlrpc 2026-02-17 12:34:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2817 https://access.redhat.com/errata/RHSA-2026:2817

Comment 16 errata-xmlrpc 2026-03-06 10:13:01 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abokovoy
abrianik
abuckta
adudiak
akostadi
alcohan
alizardo
amasferr
amctagga
anjoseph
anpicker
anthomas
aoconnor
aschwart
asoldano
bbaranow
bbrownin
bdettelb
bmaxwell
bniver
boliveir
bparees
brasmith
brian.stansberry
bsmejkal
carlmart
caswilli
chfoley
cmah
cochase
darran.lofthouse
dbosanac
dfreiber
dhanak
dhanina
dkuc
dmayorov
dnakabaa
doconnor
dosoudil
dranck
drosa
drow
dymurray
eaguilar
ebaron
ehelms
eric.wittmann
fdeutsch
flucifre
frenaud
ftrivino
ggainey
ggrzybek
gmalinko
gmeno
gotiwari
gparvin
groman
hasun
ibek
ibolton
istudens
ivassile
iweiss
jachapma
janstey
jbalunas
jburrell
jcantril
jchui
jfula
jgrulich
jhe
jhorak
jkoehler
jlledo
jmatthew
jmontleo
joehler
jolong
jowilson
jprabhak
jreimann
jrokos
jscholz
juwatts
jwong
kaycoth
kshier
ktsao
kverlaen
lball
lchilton
lcouzens
lphiri
manissin
mbenjamin
mdessi
mhackett
mhulan
mnovotny
mosmerov
mposolda
mrizzi
mskarbek
mstipich
msvehla
mvyas
mwringe
nboldt
ngough
nipatil
nmoumoul
nwallace
nyancey
omaciel
ometelka
orabin
oramraz
osousa
pahickey
pantinor
parichar
pberan
pbizzarr
pcattana
pcreech
pdelbell
pesilva
pgaikwad
pjindal
pmackay
progier
psrna
ptisnovs
rchan
rexwhite
rhaigner
rjohnson
rkubis
rmartinc
rojacob
rstancel
rstepani
sausingh
sdawley
sdoran
sfeifer
slucidi
smaestri
smallamp
smullick
snegrini
sostapov
spichugi
sseago
ssidhaye
ssilvert
stcannon
sthirugn
sthorger
stirabos
swoodman
syedriko
tasato
tbordaz
teagle
thason
tmalecek
tom.jenkinson
tpopela
tsedmik
ttakamiy
vashirov
vereddy
veshanka
vkumar
vmuzikar
wtam
xdharmai
yguenane