CVE-2025-4759

Опубликовано: 16 мая 2025

Источник: nvd

CVSS3: 8.3

CVSS3: 5.3

EPSS Низкий

Описание

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

Ссылки

https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f
Exploit
https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63
Broken Link
https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca
Patch
https://github.com/lirantal/lockfile-lint/pull/204
Patch
https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:lirantal:lockfile-lint-api:*:*:*:*:*:node.js:*:*

Версия до 5.9.2 (исключая)

EPSS

Процентиль: 16%

0.00051

Низкий

8.3 High

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-179

NVD-CWE-noinfo

Связанные уязвимости

GHSA-7cfr-5cjf-32p4

CVSS3: 8.3

github

9 месяцев назад

lockfile-lint-api Vulnerable to Incorrect Behavior Order

EPSS

Процентиль: 16%

0.00051

Низкий

8.3 High

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-179

NVD-CWE-noinfo