CVE-2025-13465

NameCVE-2025-13465
DescriptionLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1126265

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-lodash (PTS)bullseye4.17.21+dfsg+~cs8.31.173-1vulnerable
forky, bookworm, trixie4.17.21+dfsg+~cs8.31.198.20210220-9vulnerable
sid4.17.23+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-lodashsource(unstable)4.17.21+dfsg+~cs8.31.198.20210220-101126265

Notes

[trixie] - node-lodash <no-dsa> (Minor issue)
[bookworm] - node-lodash <no-dsa> (Minor issue)
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
Search for package or bug name: Reporting problems