CVE-2025-13465 Affecting py3-jupyterlab package, versions <4.6.1-r1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1.54% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-PY3JUPYTERLAB-17800625
  • published3 Jul 2026
  • disclosed21 Jan 2026

Introduced: 21 Jan 2026

CVE-2025-13465  (opens in a new tab)

How to fix?

Upgrade Wolfi py3-jupyterlab to version 4.6.1-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-jupyterlab package and not the py3-jupyterlab package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23

CVSS Base Scores

version 3.1