VDB
DEBIAN-CVE-2025-13465
DEBIAN-CVE-2025-13465
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | node-lodash | 4.17.23+dfsg, 4.18.1+dfsg, 4.18.1+dfsg |
| Debian:11 | node-lodash | 4.17.21+dfsg+~cs8.31.198.20210220-9, 4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+1, 4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+2 |
| Debian:12 | node-lodash | *, 4.17.23+dfsg, 4.18.1+dfsg |
| Debian:14 | node-lodash | 4.17.21+dfsg, 0, 0 |
Exploit Intelligence
- jaytarr-geo/nextjs-lodash-cve-2025-13465-repro (github-poc-repo)
- jaytarr-geo/nextjs-lodash-cve-2025-13465-repro (github-poc)
- pnpm-workspace.yaml (github-poc)
- pnpm-workspace.yaml (github-poc)
- load-cve.test.mjs (github-poc)
- guard-json.js (github-poc)
- guard-json.js (github-poc)
- exploits.js (github-poc)
- lisa24-exploit-tests.py (github-poc)
Timeline
- Jan 21, 2026 CVE Published
- Apr 28, 2026 CVE Updated