## Lodash Security Update: Prototype Pollution Vulnerability in `_.unset` and `_.omit` (CVE-2025-13465)
A critical security vulnerability has been disclosed in the widely-used JavaScript utility library Lodash, affecting versions 4.0.0 through 4.17.22. The flaw, tracked as CVE-2025-13465, resides in the `_.unset` and `_.omit` functions and enables prototype pollution. This allows an attacker to pass specially crafted paths that cause Lodash to delete methods from global prototypes, potentially destabilizing applications that rely on these core JavaScript objects.

The vulnerability specifically permits the deletion of properties but does not allow for their overwriting, which limits the immediate exploitability but still poses a significant integrity risk. The issue was addressed in Lodash version 4.17.23, prompting automated dependency management tools like Renovate to generate pull requests for projects to update from the vulnerable 4.17.21. The update is marked with high merge confidence, indicating a low risk of breaking changes, which should facilitate rapid adoption across the ecosystem.

Given Lodash's near-ubiquitous presence in the Node.js and front-end JavaScript landscape, this vulnerability places a vast number of web applications and services at potential risk. While the impact is limited to property deletion, the ability to tamper with global prototypes can lead to unexpected application behavior, crashes, or facilitate further attacks. Development teams are under immediate pressure to review their dependencies and apply the patch to mitigate this newly identified attack vector in a foundational library.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, javascript, open-source, vulnerability, software-supply-chain
- **Credibility**: unverified
- **Published**: 2026-03-30 19:27:20
- **ID**: 41751
- **URL**: https://whisperx.ai/en/intel/41751