PGV-2605591 - Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

Disclosed on January 21, 2026 (updated June 02, 2026)

Vulnerability Overview

PGV-2605591 is a category 4 vulnerabilty that affects the following packages:

lodash, versions ≥ 4.0.0 & < 4.17.23
lodash.unset, versions ≥ 4.0.0 & ≤ 4.5.2
lodash-amd, versions ≥ 4.0.0 & < 4.17.23
lodash-es, versions ≥ 4.0.0 & < 4.17.23

CVSS Scores:

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is an environmental compromise. Exploitation can escape the application boundary and impact the host environment, infrastructure, or other services.

The threat damage is caused by a denial of service (limited). Exploitation can degrade or intermittently disrupt application availability without causing a full outage.is caused by data tampering (limited). Exploitation does not allow modification of data beyond what the user is already authorized to modify.

Vulnerability Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Common Weakness Enumerations

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Additional References

Your Risk Profile

Network Exposure	External Accessable from the public internet
Access Interface	WebBrowser Primarily web-based applications
Service Outage	Disruptive Operations would be impacted
Data Breach	Disruptive Operations would be impacted
Data Tampering	Disruptive Operations would be impacted
Customize

Additional Identifiers

CVE-2025-13465
GHSA-xxjr-mmjv-4gpg