High severity8.6OSV Advisory· Published Nov 10, 2025· Updated Apr 15, 2026
CVE-2025-12613
CVE-2025-12613
Description
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. Note: Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cloudinarynpm | < 2.7.0 | 2.7.0 |
Affected products
2- Range: 1.0.10, 1.0.12, 1.0.13, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-g4mf-96x5-5m2cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12613ghsaADVISORY
- github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050nvdWEB
- github.com/cloudinary/cloudinary_npm/pull/709nvdWEB
- security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740nvdWEB
News mentions
0No linked articles in our index yet.