Platform
nodejs
Component
lodash
Opgelost in
4.17.23
4.17.23
4.17.23
4.0.1
4.17.23
CVE-2025-13465 describes a prototype pollution vulnerability affecting Lodash versions 4.0.0 through 4.17.22. This flaw allows attackers to delete methods from global prototypes, potentially disrupting application functionality. The vulnerability is resolved in Lodash version 4.17.23, and users are advised to upgrade promptly.
Prototype pollution in Lodash arises from improper handling of user-supplied data within the .unset and .omit functions. An attacker can craft malicious paths that, when processed by these functions, result in the deletion of methods from JavaScript's global prototypes (e.g., Object.prototype, Array.prototype). This can lead to unexpected application behavior, errors, and potentially even denial of service. The impact is particularly severe in applications heavily reliant on Lodash or those that extend or modify built-in JavaScript prototypes. While the vulnerability doesn't allow for overwriting existing methods, the deletion of critical methods can severely impair application functionality.
CVE-2025-13465 was publicly disclosed on January 21, 2026. The vulnerability's impact is considered medium due to the potential for application disruption. While no public exploits have been widely reported, the ease of exploitation and the widespread use of Lodash suggest a potential for active exploitation. It is not currently listed on the CISA KEV catalog.
Applications built on Node.js that utilize Lodash versions 4.0.0 through 4.17.22 are at risk. This includes web applications, command-line tools, and any other JavaScript environment leveraging Lodash. Projects that extend or modify JavaScript prototypes are particularly vulnerable, as the prototype pollution can directly impact their custom functionality.
• nodejs / server:
npm list lodash• nodejs / server:
grep -r '_.unset(' /path/to/your/app/*• nodejs / server:
find /path/to/your/app/ -name '*.js' -exec grep '_.omit(' {} + disclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-13465 is to upgrade to Lodash version 4.17.23 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation to sanitize paths passed to .unset and .omit, preventing the injection of malicious path segments. Web application firewalls (WAFs) configured to detect and block suspicious path patterns could provide an additional layer of defense. Monitor application logs for unusual errors or unexpected behavior that might indicate a successful exploitation attempt.
Actualice la biblioteca Lodash a la versión 4.17.23 o superior. Esto solucionará la vulnerabilidad de prototype pollution en las funciones _.unset y _.omit. Puede actualizar la dependencia usando npm o yarn.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-13465 is a medium-severity vulnerability in Lodash versions 4.0.0 - 4.17.22 that allows attackers to delete methods from global prototypes through crafted paths in .unset and .omit functions.
You are affected if your Node.js application uses Lodash versions between 4.0.0 and 4.17.22 (inclusive). Check your project dependencies with npm list lodash.
Upgrade to Lodash version 4.17.23 or later. If immediate upgrade is not possible, implement input validation on paths used with .unset and .omit.
While no widespread exploitation has been publicly confirmed, the ease of exploitation and Lodash's widespread use suggest a potential for active exploitation. Monitor your application logs.
Refer to the Lodash project's release notes and security advisories on their GitHub repository: https://github.com/lodash/lodash/releases
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.