High severityOSV Advisory· Published Jan 5, 2026· Updated Jan 5, 2026

CVE-2025-67419

Description

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@evershop/evershopnpm	<= 2.1.0	—

Affected products

Evershopcommerce/EvershopOSV
Range: 1.0.0-rc.9, v1.0.0, v1.1.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m2q5-xhqg-92r2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-67419ghsaADVISORY
github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419ghsaWEB
pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000