Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 35 npm packages depend on lodash (18 direct, 17 indirect)
- 1 npm packages depend on lodash-es (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.18.0 and other introduced versions.
DescriptionCVE.org
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
AnalysisAI
Prototype pollution in Lodash 4.17.23 and earlier allows unauthenticated remote attackers to delete properties from built-in prototypes (Object.prototype, Number.prototype, String.prototype) via array-wrapped path segments in _.unset and _.omit functions, bypassing the incomplete fix for CVE-2025-13465. The vulnerability has a CVSS score of 6.5 with low integrity and availability impact; no public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Lodash is a widely-used JavaScript utility library. The vulnerability exists in the prototype pollution guard implemented for _.unset and _.omit functions. The guard checks for string key members but fails to validate array-wrapped path segments, allowing attackers to craft payloads that traverse and delete properties from Object.prototype and other built-in prototypes. This is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), a type of prototype pollution attack. The affected CPE strings indicate all variants are vulnerable: lodash (main package), lodash-es (ES module variant), lodash-amd (AMD module variant), and lodash.unset (single-function package).
RemediationAI
Vendor-released patch: Upgrade Lodash to version 4.18.0 or later. This version addresses the incomplete prototype pollution guard by properly validating array-wrapped path segments in _.unset and _.omit functions. No workarounds are available; patching is the only mitigation. For JavaScript projects using npm, package.json should be updated to require lodash@^4.18.0 or lodash-es@^4.18.0 depending on the variant in use. Developers should verify the upgraded version and re-run tests to ensure compatibility with their application code.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17591
GHSA-f23m-r3pf-42rh