|
548 | 548 | "title": "CVE-2025-12758 - validator", |
549 | 549 | "reason_to_ignore": "N/A" |
550 | 550 | } |
| 551 | + ], |
| 552 | + "qs": [ |
| 553 | + { |
| 554 | + "description": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.\n\nSummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.\n\nDetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).\n\nVulnerable code (lib/parse.js:159-162):\n\nif (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check }\n\nWorking code (lib/parse.js:175):\n\nelse if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; }\n\nThe bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.\n\nPoCTest 1 - Basic bypass:\n\nnpm install qs\n\nconst qs", |
| 555 | + "vulnerability_id": "CVE-2025-15284", |
| 556 | + "name": "CVE-2025-15284", |
| 557 | + "package_name": "qs", |
| 558 | + "package_details": { |
| 559 | + "file_path": "/usr/local/lib/python3.12/site-packages/jupyterlab/staging/yarn.lock", |
| 560 | + "name": "qs", |
| 561 | + "package_manager": "NODE", |
| 562 | + "version": "6.13.0", |
| 563 | + "release": null |
| 564 | + }, |
| 565 | + "remediation": { |
| 566 | + "recommendation": { |
| 567 | + "text": "None Provided" |
| 568 | + } |
| 569 | + }, |
| 570 | + "cvss_v3_score": 7.5, |
| 571 | + "cvss_v30_score": 0.0, |
| 572 | + "cvss_v31_score": 7.5, |
| 573 | + "cvss_v2_score": 0.0, |
| 574 | + "cvss_v3_severity": "HIGH", |
| 575 | + "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284", |
| 576 | + "source": "NVD", |
| 577 | + "severity": "HIGH", |
| 578 | + "status": "ACTIVE", |
| 579 | + "title": "CVE-2025-15284 - qs", |
| 580 | + "reason_to_ignore": "N/A" |
| 581 | + } |
| 582 | + ], |
| 583 | + "tar": [ |
| 584 | + { |
| 585 | + "description": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order", |
| 586 | + "vulnerability_id": "CVE-2026-23950", |
| 587 | + "name": "CVE-2026-23950", |
| 588 | + "package_name": "tar", |
| 589 | + "package_details": { |
| 590 | + "file_path": "/usr/local/lib/python3.12/site-packages/jupyterlab/staging/yarn.lock", |
| 591 | + "name": "tar", |
| 592 | + "package_manager": "NODE", |
| 593 | + "version": "6.1.11", |
| 594 | + "release": null |
| 595 | + }, |
| 596 | + "remediation": { |
| 597 | + "recommendation": { |
| 598 | + "text": "None Provided" |
| 599 | + } |
| 600 | + }, |
| 601 | + "cvss_v3_score": 8.8, |
| 602 | + "cvss_v30_score": 0.0, |
| 603 | + "cvss_v31_score": 8.8, |
| 604 | + "cvss_v2_score": 0.0, |
| 605 | + "cvss_v3_severity": "HIGH", |
| 606 | + "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", |
| 607 | + "source": "NVD", |
| 608 | + "severity": "HIGH", |
| 609 | + "status": "ACTIVE", |
| 610 | + "title": "CVE-2026-23950 - tar", |
| 611 | + "reason_to_ignore": "N/A" |
| 612 | + } |
| 613 | + ], |
| 614 | + "vega-functions": [ |
| 615 | + { |
| 616 | + "description": "vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.", |
| 617 | + "vulnerability_id": "CVE-2025-66648", |
| 618 | + "name": "CVE-2025-66648", |
| 619 | + "package_name": "vega-functions", |
| 620 | + "package_details": { |
| 621 | + "file_path": "/usr/local/lib/python3.12/site-packages/jupyterlab/staging/yarn.lock", |
| 622 | + "name": "vega-functions", |
| 623 | + "package_manager": "NODE", |
| 624 | + "version": "5.18.0", |
| 625 | + "release": null |
| 626 | + }, |
| 627 | + "remediation": { |
| 628 | + "recommendation": { |
| 629 | + "text": "None Provided" |
| 630 | + } |
| 631 | + }, |
| 632 | + "cvss_v3_score": 7.2, |
| 633 | + "cvss_v30_score": 0.0, |
| 634 | + "cvss_v31_score": 7.2, |
| 635 | + "cvss_v2_score": 0.0, |
| 636 | + "cvss_v3_severity": "HIGH", |
| 637 | + "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66648", |
| 638 | + "source": "NVD", |
| 639 | + "severity": "HIGH", |
| 640 | + "status": "ACTIVE", |
| 641 | + "title": "CVE-2025-66648 - vega-functions", |
| 642 | + "reason_to_ignore": "N/A" |
| 643 | + } |
| 644 | + ], |
| 645 | + "vega-selections": [ |
| 646 | + { |
| 647 | + "description": "Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if \"safe mode\" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the ", |
| 648 | + "vulnerability_id": "CVE-2025-65110", |
| 649 | + "name": "CVE-2025-65110", |
| 650 | + "package_name": "vega-selections", |
| 651 | + "package_details": { |
| 652 | + "file_path": "/usr/local/lib/python3.12/site-packages/jupyterlab/staging/yarn.lock", |
| 653 | + "name": "vega-selections", |
| 654 | + "package_manager": "NODE", |
| 655 | + "version": "5.6.0", |
| 656 | + "release": null |
| 657 | + }, |
| 658 | + "remediation": { |
| 659 | + "recommendation": { |
| 660 | + "text": "None Provided" |
| 661 | + } |
| 662 | + }, |
| 663 | + "cvss_v3_score": 8.1, |
| 664 | + "cvss_v30_score": 0.0, |
| 665 | + "cvss_v31_score": 8.1, |
| 666 | + "cvss_v2_score": 0.0, |
| 667 | + "cvss_v3_severity": "HIGH", |
| 668 | + "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65110", |
| 669 | + "source": "NVD", |
| 670 | + "severity": "HIGH", |
| 671 | + "status": "ACTIVE", |
| 672 | + "title": "CVE-2025-65110 - vega-selections", |
| 673 | + "reason_to_ignore": "N/A" |
| 674 | + } |
551 | 675 | ] |
552 | 676 | } |
0 commit comments