CVE-2025-13465: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

January 21, 2026

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

References

github.com/advisories/GHSA-xxjr-mmjv-4gpg
github.com/lodash/lodash
github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
nvd.nist.gov/vuln/detail/CVE-2025-13465

Code Behaviors & Features

Detect and mitigate CVE-2025-13465 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →