2431740 – (CVE-2025-13465) CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Bug 2431740 (CVE-2025-13465) - CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Summary: CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions

Keywords:
Status:	NEW
Alias:	CVE-2025-13465
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2432922 2432923 2432924 2432925 2432926 2432927 2432929 2432932 2432933 2432934 2432935 2432936 2432939 2432941 2432942 2432943 2432944 2432945 2432947 2432948 2432950 2432951 2432953 2432954 2432955 2432959 2432963 2432964 2432965 2432967 2432968 2432969 2432970 2432971 2432972 2432973 2432974 2432975 2432976 2432979 2432980 2432981 2432982 2432984 2432985 2432986 2432987 2432990 2432991 2432995 2432996 2432997 2432998 2433000 2433001 2433002 2433006 2433010 2433011 2433012 2433013 2433016 2433017 2433018 2433019 2433020 2433021 2433022 2433023 2433024 2433025 2433028 2433029 2433030 2433031 2433032 2433034 2433035 2433036 2433037 2433040 2433041 2433043 2433046 2433047 2433048 2432919 2432920 2432921 2432928 2432930 2432931 2432937 2432938 2432940 2432946 2432949 2432952 2432956 2432957 2432958 2432960 2432961 2432962 2432966 2432977 2432978 2432983 2432988 2432989 2432992 2432993 2432994 2432999 2433003 2433004 2433005 2433007 2433008 2433009 2433014 2433015 2433026 2433027 2433033 2433038 2433039 2433042 2433044 2433045
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-21 20:01 UTC by OSIDB Bzimport
Modified:	2026-01-26 18:50 UTC (History)
CC List:	185 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-21 20:01:53 UTC

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abokovoy
abrianik
abuckta
adudiak
akostadi
alcohan
alizardo
amasferr
amctagga
anjoseph
anpicker
anthomas
aoconnor
aschwart
asoldano
bbaranow
bbrownin
bdettelb
bmaxwell
bniver
boliveir
bparees
brasmith
brian.stansberry
bsmejkal
carlmart
caswilli
chfoley
cmah
cochase
darran.lofthouse
dbosanac
dfreiber
dhanak
dhanina
dkuc
dmayorov
dnakabaa
doconnor
dosoudil
dranck
drosa
drow
dymurray
eaguilar
ebaron
ehelms
eric.wittmann
fdeutsch
fjuma
flucifre
frenaud
ftrivino
ggainey
ggrzybek
gmalinko
gmeno
gotiwari
gparvin
groman
hasun
ibek
ibolton
istudens
ivassile
iweiss
jachapma
janstey
jbalunas
jburrell
jcantril
jchui
jfula
jgrulich
jhe
jhorak
jkoehler
jlledo
jmatthew
jmontleo
joehler
jolong
jowilson
jprabhak
jreimann
jrokos
jscholz
juwatts
jwong
kaycoth
kshier
ktsao
kverlaen
lball
lchilton
lcouzens
lphiri
manissin
mbenjamin
mdessi
mhackett
mhulan
mnovotny
mosmerov
mposolda
mrizzi
mskarbek
mstipich
msvehla
mvyas
mwringe
nboldt
ngough
nipatil
nmoumoul
nwallace
nyancey
omaciel
ometelka
orabin
oramraz
osousa
pahickey
pantinor
parichar
pberan
pbizzarr
pcattana
pcreech
pdelbell
pesilva
pgaikwad
pjindal
pmackay
progier
psrna
ptisnovs
rchan
rexwhite
rhaigner
rjohnson
rkubis
rmartinc
rojacob
rstancel
rstepani
sausingh
sdawley
sdoran
sfeifer
slucidi
smaestri
smallamp
smullick
snegrini
sostapov
spichugi
sseago
ssidhaye
ssilvert
stcannon
sthirugn
sthorger
stirabos
swoodman
syedriko
tasato
tbordaz
teagle
thason
tmalecek
tom.jenkinson
tpopela
tsedmik
ttakamiy
vashirov
vereddy
veshanka
vkumar
vmuzikar
wtam
xdharmai
yguenane