Lodash Security Update: Prototype Pollution Vulnerability in `_.unset` and `_.omit` (CVE-2025-13465)

A critical security vulnerability has been disclosed in the widely-used JavaScript utility library Lodash, affecting versions 4.0.0 through 4.17.22. The flaw, tracked as CVE-2025-13465, is a prototype pollution issue within the `_.unset` and `_.omit` functions. This vulnerability allows an attacker to pass specially crafted paths that cause Lodash to delete methods from global prototypes, potentially destabilizing applications that rely on these core JavaScript objects.

The vulnerability is present in a foundational library used by millions of projects across the web and Node.js ecosystems. The update to version 4.17.23 patches this security hole. The advisory clarifies that while the issue permits the deletion of properties, it does not allow for the overwriting of them, which limits but does not eliminate the potential for exploitation. The risk is particularly acute for applications that process untrusted user input using these specific Lodash functions.

This disclosure triggers immediate pressure on development teams to audit their dependency trees and apply the patch. Given Lodash's pervasive role as a foundational dependency, the security update has broad implications for application integrity and requires prompt action to mitigate the risk of potential denial-of-service or unexpected behavior in production systems. The fix is now available via standard package managers, but the widespread adoption lag presents a significant window of exposure.