Moderate severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025
CVE-2025-4759
CVE-2025-4759
Description
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lockfile-lint-apinpm | < 5.9.2 | 5.9.2 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-7cfr-5cjf-32p4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4759ghsaADVISORY
- gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151fghsaWEB
- github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.jsghsaWEB
- github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4caghsaWEB
- github.com/lirantal/lockfile-lint/pull/204ghsaWEB
- security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587ghsaWEB
- github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63mitre
News mentions
0No linked articles in our index yet.