Vulnerable lodash@4.17.21 bundled in dist/compiled (CVE-2025-13465) #91156
Description
Link to the code that reproduces this issue
https://github.com/jaytarr-geo/nextjs-lodash-cve-2025-13465-repro
To Reproduce
- Clone the reproduction repo or create a fresh Next.js app:
npx create-next-app@16.1.6 my-app cd my-app- Run:
grep -oP '4\.17\.\d+' node_modules/next/dist/compiled/jsonwebtoken/index.js | sort -u- Output:
4.17.21
- Output:
- Run:
grep -oP '4\.17\.\d+' node_modules/next/dist/compiled/babel-packages/packages-bundle.js | sort -u- Output:
4.17.21
- Output:
Both files contain the full lodash 4.17.21 library including the vulnerable _.unset and _.omit functions.
Current vs. Expected behavior
Current behavior: Next.js 16.1.6 ships lodash@4.17.21 in its vendored dist/compiled/ files (jsonwebtoken/index.js and babel-packages/packages-bundle.js). Security scanners (OWASP Dependency-Check) flag CVE-2025-13465 and downstream consumers cannot resolve it via npm audit fix or dependency overrides since the code is pre-compiled.
Expected behavior: The vendored lodash should be updated to 4.17.23+ to resolve CVE-2025-13465 (prototype pollution in _.unset and _.omit).
Provide environment information
Operating System:
Platform: linux
Arch: x64
Version: #96~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC
Available memory (MB): 31704
Available CPU cores: 20
Binaries:
Node: 25.4.0
npm: 11.8.0
Yarn: N/A
pnpm: N/A
Relevant Packages:
next: 16.1.6 // Latest available version is detected (16.1.6).
eslint-config-next: N/A
react: 19.2.3
react-dom: 19.2.3
typescript: 5.9.3
Next.js Config:
output: N/AWhich area(s) are affected? (Select all that apply)
Not sure
Which stage(s) are affected? (Select all that apply)
next build (local)
Additional context
Next.js bundles the full lodash@4.17.21 library in pre-compiled files under dist/compiled/. This version is affected by CVE-2025-13465 (prototype pollution in _.unset and _.omit), patched in lodash@4.17.23.
Affected files
node_modules/next/dist/compiled/jsonwebtoken/index.jsnode_modules/next/dist/compiled/babel-packages/packages-bundle.js
Both contain lodash@4.17.21 as of Next.js 16.1.6. Verified by grepping the version string directly from the compiled bundles.
Context
This is the same pattern as #83459 (cross-spawn in dist/compiled) and #79331 (@babel/runtime in compiled deps). Downstream teams cannot remediate these vulnerabilities without an upstream re-bundle by the Next.js team.