openSUSE-SU-2026:20239-1

Опубликовано: 17 фев. 2026

Источник: suse-cvrf

Описание

Security update for golang-github-prometheus-prometheus

This update for golang-github-prometheus-prometheus fixes the following issues:

CVE-2026-25547: Fixed an unbounded brace range expansion leading to excessive CPU and memory consumption. (bsc#1257841)
CVE-2026-1615: Fixed arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions in jsonpath. (bsc#1257897)
CVE-2025-61140: Fixed a function vulnerable to prototype pollution in jsonpath. (bsc#1257442)

Список пакетов

openSUSE Leap 16.0

golang-github-prometheus-prometheus-3.5.0-160000.2.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1257442
SUSE Bug 1257442
https://bugzilla.suse.com/1257841
SUSE Bug 1257841
https://bugzilla.suse.com/1257897
SUSE Bug 1257897
https://www.suse.com/security/cve/CVE-2025-61140/
SUSE CVE CVE-2025-61140 page
https://www.suse.com/security/cve/CVE-2026-1615/
SUSE CVE CVE-2026-1615 page
https://www.suse.com/security/cve/CVE-2026-25547/
SUSE CVE CVE-2026-25547 page

Описание

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Затронутые продукты

openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-61140.html
CVE-2025-61140
https://bugzilla.suse.com/1257442
SUSE Bug 1257442

Описание

Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.

Затронутые продукты

openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-1615.html
CVE-2026-1615
https://bugzilla.suse.com/1257897
SUSE Bug 1257897

Описание

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Затронутые продукты

openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-25547.html
CVE-2026-25547
https://bugzilla.suse.com/1257834
SUSE Bug 1257834

openSUSE-SU-2026:20239-1

Описание

Список пакетов

openSUSE Leap 16.0

Ссылки

Уязвимость: CVE-2025-61140

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-1615

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-25547

Описание

Затронутые продукты

Ссылки