8.3
CVE-2025-4759
- EPSS 0.35%
- Veröffentlicht 16.05.2025 05:00:04
- Zuletzt bearbeitet 03.06.2025 15:57:29
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
LoginVersions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lirantal ≫ Lockfile-lint-api SwPlatformnode.js Version < 5.9.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.268 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| report@snyk.io | 5.5 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| report@snyk.io | 8.3 | 3.9 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
CWE-179 Incorrect Behavior Order: Early Validation
The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587
https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f
https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63
https://github.com/lirantal/lockfile-lint/pull/204
https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca