Lodash Security Update: Prototype Pollution Vulnerability in `_.unset` and `_.omit` (CVE-2025-13465)

A critical security vulnerability has been disclosed in the widely-used JavaScript utility library Lodash, affecting versions 4.0.0 through 4.17.22. The flaw, tracked as CVE-2025-13465, is a prototype pollution issue within the `_.unset` and `_.omit` functions. This vulnerability allows an attacker to pass specially crafted paths that cause Lodash to delete methods from global prototypes, potentially destabilizing applications that rely on these core JavaScript objects.

The vulnerability's impact is specific: it permits the *deletion* of properties but does not allow for property overwriting, which can be a more direct path to code execution. However, the ability to delete methods from prototypes can lead to unexpected application behavior, crashes, or facilitate other attack chains. The issue was addressed in Lodash version 4.17.23, prompting automated dependency management tools like Renovate to generate pull requests for projects to update from vulnerable versions like 4.17.21.

This disclosure places immediate pressure on millions of Node.js and frontend projects to audit and update their dependencies. Given Lodash's ubiquitous presence in the JavaScript ecosystem—from enterprise applications to open-source frameworks—the vulnerability's reach is extensive. While the direct risk is property deletion, security teams must treat any prototype pollution vector with high severity due to its potential to undermine application security foundations. The swift patch and associated CVE highlight the ongoing maintenance burden and latent risks embedded within foundational open-source software.