apk package
chainguard/cadence-web
pkg:apk/chainguard/cadence-web
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54285 | — | < 4.0.15-r4 | 4.0.15-r4 | Jun 15, 2026 | ## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in | ||
| CVE-2026-48712 | hig | — | < 4.0.15-r3 | 4.0.15-r3 | Jun 15, 2026 | ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n | |
| CVE-2026-54269 | — | < 4.0.15-r3 | 4.0.15-r3 | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc | ||
| CVE-2026-48068 | hig | — | < 4.0.15-r3 | 4.0.15-r3 | Jun 11, 2026 | ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 | |
| CVE-2026-48069 | hig | — | < 4.0.15-r3 | 4.0.15-r3 | Jun 11, 2026 | ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 | |
| CVE-2026-44902 | Hig | 7.5 | < 4.0.16-r0 | 4.0.16-r0 | May 27, 2026 | opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ | |
| CVE-2026-45740 | Med | 5.3 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested | |
| CVE-2026-44294 | Med | 5.3 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int | |
| CVE-2026-44293 | Hig | 8.8 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no | |
| CVE-2026-44292 | Med | 5.3 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message | |
| CVE-2026-44291 | Hig | 8.1 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, | |
| CVE-2026-44290 | Hig | 7.5 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio | |
| CVE-2026-44289 | Hig | 7.5 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. | |
| CVE-2026-44288 | Med | 5.3 | < 4.0.15-r2 | 4.0.15-r2 | May 13, 2026 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can |
- CVE-2026-54285Jun 15, 2026affected < 4.0.15-r4fixed 4.0.15-r4
## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in
- affected < 4.0.15-r3fixed 4.0.15-r3
## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n
- CVE-2026-54269Jun 15, 2026affected < 4.0.15-r3fixed 4.0.15-r3
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc
- affected < 4.0.15-r3fixed 4.0.15-r3
### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4
- affected < 4.0.15-r3fixed 4.0.15-r3
### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5
- affected < 4.0.16-r0fixed 4.0.16-r0
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
- affected < 4.0.15-r2fixed 4.0.15-r2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can