VDB
KO
MEDIUM 6.5

GHSA-f23m-r3pf-42rh

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Details

### Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

### Patches

This issue is patched in 4.18.0.

### Workarounds

None. Upgrade to the patched version.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / lodash
Introduced in: 0 Fixed in: 4.18.0
Fix npm install lodash@4.18.0
npm / lodash-es
Introduced in: 0 Fixed in: 4.18.0
Fix npm install lodash-es@4.18.0
npm / lodash-amd
Introduced in: 0 Fixed in: 4.18.0
Fix npm install lodash-amd@4.18.0
npm / lodash.unset
Introduced in: 4.0.0 Fixed in: 4.18.0
Fix npm install lodash.unset@4.18.0

References