DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-13465: Lodash: The Delete Button for the Universe (CVE-2025-13465)

#security #cve #cybersecurity

Lodash: The Delete Button for the Universe (CVE-2025-13465)

Vulnerability ID: CVE-2025-13465
CVSS Score: 6.9
Published: 2026-01-21

A prototype pollution vulnerability in the ubiquitous Lodash library allows attackers to delete critical properties from the global Object prototype. Unlike traditional pollution which injects malicious properties, this flaw uses _.unset and _.omit to destructively remove core language methods (like toString or hasOwnProperty) via path traversal, causing widespread Denial of Service or logic failures.

TL;DR

Lodash versions prior to 4.17.23 fail to sanitize paths in _.unset and _.omit. An attacker supplying a path like __proto__.toString can delete the toString method from Object.prototype, causing every object in the running application to lose that method. This leads to immediate application crashes (DoS) or security bypasses if logic relies on the existence of specific prototype methods. The fix involves strict validation of path segments to block __proto__ and constructor access.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network
  • Impact: Denial of Service / Logic Alteration
  • Affected Function: _.unset, _.omit
  • Exploit Status: PoC Available

Affected Systems

  • Node.js applications using lodash < 4.17.23
  • Frontend React/Vue/Angular apps using lodash < 4.17.23
  • Any JavaScript environment where _.unset or _.omit is passed user-controlled paths
  • lodash: >= 4.0.0 < 4.17.23 (Fixed in: 4.17.23)

Code Analysis

Commit: edadd45

Fix prototype pollution in baseUnset

function baseUnset(object, path) {
   path = castPath(path, object);
-  object = parent(object, path);
-  return object == null || delete object[toKey(last(path))];
+  var index = -1, length = path.length, lastIndex = length - 1, nested = object;
+  while (nested != null && ++index < length) {
+    var key = toKey(path[index]);
+    if (key === '__proto__' || (key === 'constructor' && ...)) {
+      return false;
+    }
+    // ... traversal logic ...
+  }
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Sanitization: Reject inputs containing 'proto', 'constructor', or 'prototype'.
  • Runtime Hardening: Use Object.freeze(Object.prototype) to prevent modification.
  • Data Structure Hygiene: Prefer Map over plain objects for key-value stores.

Remediation Steps:

  1. Identify vulnerable dependencies using npm audit or yarn audit.
  2. Update lodash to version 4.17.23 or higher.
  3. Verify that transitive dependencies (dependencies of your dependencies) are also using the updated version.

References

Read the full report for CVE-2025-13465 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)