## Lodash Security Patch Targets Prototype Pollution Flaw in _.unset and _.omit Functions
A critical prototype pollution vulnerability has been identified in Lodash, prompting an urgent dependency update to version 4.18.1. The flaw, tracked as CVE-2025-13465, affects all versions from 4.0.0 through 4.17.22 and specifically targets the `_.unset` and `_.omit` utility functions widely used in JavaScript applications.

The vulnerability allows attackers to craft malicious path inputs that cause Lodash to delete properties from global prototypes. While the flaw does not permit direct property overwriting, the ability to delete critical prototype methods poses significant risk to application integrity and runtime behavior. The security advisory, published as GHSA-xxjr-mmjv-4gpg, classifies this as a moderate-to-high severity issue due to the ubiquity of Lodash in production codebases.

Organizations maintaining projects with Lodash dependencies should prioritize this update. The remediation path is straightforward: upgrading to 4.18.1 eliminates the prototype pollution attack vector. Security teams are advised to audit dependencies for Lodash usage, particularly in code paths that process untrusted user input through `_.unset` or `_.omit`. Given the library's prevalence in Node.js environments and frontend builds, the potential blast radius of this vulnerability spans a wide range of web applications and backend services.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: prototype pollution, CVE-2025-13465, dependency security, JavaScript vulnerability, GHSA-xxjr-mmjv-4gpg
- **Credibility**: unverified
- **Published**: 2026-05-12 07:48:27
- **ID**: 82134
- **URL**: https://whisperx.ai/en/intel/82134