DEBIAN-CVE-2025-13465

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2025-13465

Published: 21 Jan 2026, 20:16

Last modified:28 Apr 2026, 20:29

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Jan 2026, 20:16

Published

Vulnerability first disclosed

28 Apr 2026, 20:29

Last Modified

Vulnerability information updated

Description

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Systems

debian•node-lodash
all | all | all | all | < 4.17.21+dfsg+~cs8.31.198.20210220-10

References (1)

https://security-tracker.debian.org/tracker/CVE-2025-13465