apk package

chainguard/code-server

pkg:apk/chainguard/code-server

Vulnerabilities (62)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44240	Hig	7.5	< 4.112.0-r4	4.112.0-r4	May 12, 2026	basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p
CVE-2026-42338	Med	6.1	< 4.112.0-r4	4.112.0-r4	May 12, 2026	ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-41907	Hig	7.5	< 4.112.0-r3	4.112.0-r3	Apr 24, 2026	uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-41324	Hig	7.5	< 4.112.0-r3	4.112.0-r3	Apr 24, 2026	basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing
CVE-2026-4800	Hig	8.1	< 4.112.0-r2	4.112.0-r2	Mar 31, 2026	Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
CVE-2026-2950	Med	6.5	< 4.112.0-r2	4.112.0-r2	Mar 31, 2026	Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
CVE-2026-33672	Med	5.3	< 4.112.0-r2	4.112.0-r2	Mar 26, 2026	Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
CVE-2026-33671	Hig	7.5	< 4.112.0-r2	4.112.0-r2	Mar 26, 2026	Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
CVE-2026-4926	Hig	7.5	< 4.112.0-r2	4.112.0-r2	Mar 26, 2026	Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Work
CVE-2026-4923	Med	5.9	< 4.112.0-r2	4.112.0-r2	Mar 26, 2026	Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /foo-
CVE-2026-2229		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
CVE-2026-1528		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
CVE-2026-1527		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem
CVE-2026-2581		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler
CVE-2026-1526		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
CVE-2026-1525		—	< 4.110.1-r2	4.110.1-r2	Mar 12, 2026	Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
CVE-2026-31988	Med	5.3	< 4.110.1-r1	4.110.1-r1	Mar 11, 2026	yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo
CVE-2026-3449	Low	3.3	< 4.110.1-r1	4.110.1-r1	Mar 3, 2026	Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
CVE-2026-27904		—	< 4.109.2-r0	4.109.2-r0	Feb 26, 2026	minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a\|b))*`), wh
CVE-2026-27903		—	< 4.109.2-r0	4.109.2-r0	Feb 26, 2026	minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

CVE-2026-44240HigMay 12, 2026
affected < 4.112.0-r4fixed 4.112.0-r4
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p
CVE-2026-42338MedMay 12, 2026
affected < 4.112.0-r4fixed 4.112.0-r4
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-41907HigApr 24, 2026
affected < 4.112.0-r3fixed 4.112.0-r3
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-41324HigApr 24, 2026
affected < 4.112.0-r3fixed 4.112.0-r3
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing
CVE-2026-4800HigMar 31, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
CVE-2026-2950MedMar 31, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
CVE-2026-33672MedMar 26, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
CVE-2026-33671HigMar 26, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
CVE-2026-4926HigMar 26, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Work
CVE-2026-4923MedMar 26, 2026
affected < 4.112.0-r2fixed 4.112.0-r2
Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*
CVE-2026-2229Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
CVE-2026-1528Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
CVE-2026-1527Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem
CVE-2026-2581Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler
CVE-2026-1526Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
CVE-2026-1525Mar 12, 2026
affected < 4.110.1-r2fixed 4.110.1-r2
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
CVE-2026-31988MedMar 11, 2026
affected < 4.110.1-r1fixed 4.110.1-r1
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo
CVE-2026-3449LowMar 3, 2026
affected < 4.110.1-r1fixed 4.110.1-r1
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
CVE-2026-27904Feb 26, 2026
affected < 4.109.2-r0fixed 4.109.2-r0
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
CVE-2026-27903Feb 26, 2026
affected < 4.109.2-r0fixed 4.109.2-r0
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

Page 1 of 4