apk package
chainguard/code-server
pkg:apk/chainguard/code-server
Vulnerabilities (75)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-11525 | low | 3.7 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9678 | mod | 5.9 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | |
| CVE-2026-9679 | mod | 5.9 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-9697 | imp | 7.4 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy | |
| CVE-2026-6734 | imp | 7.5 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing | |
| CVE-2026-12151 | imp | 7.5 | < 4.125.0-r2 | 4.125.0-r2 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-53655 | — | < 4.124.2-r1 | 4.124.2-r1 | Jun 15, 2026 | ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (` | ||
| CVE-2026-53550 | — | < 4.124.2-r0 | 4.124.2-r0 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-48779 | hig | — | < 4.124.2-r0 | 4.124.2-r0 | Jun 15, 2026 | ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea | |
| CVE-2026-9277 | Hig | 8.1 | < 4.123.0-r2 | 4.123.0-r2 | May 22, 2026 | shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te | |
| CVE-2026-8723 | Med | 5.3 | < 4.121.0-r1 | 4.121.0-r1 | May 17, 2026 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). | |
| CVE-2026-45736 | Med | 4.4 | < 4.121.0-r0 | 4.121.0-r0 | May 15, 2026 | ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1. | |
| CVE-2026-44240 | Hig | 7.5 | < 4.112.0-r4 | 4.112.0-r4 | May 12, 2026 | basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p | |
| CVE-2026-42338 | Med | 6.1 | < 4.112.0-r4 | 4.112.0-r4 | May 12, 2026 | ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi | |
| CVE-2026-41907 | Hig | 7.5 | < 4.112.0-r3 | 4.112.0-r3 | Apr 24, 2026 | uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi | |
| CVE-2026-41324 | Hig | 7.5 | < 4.112.0-r3 | 4.112.0-r3 | Apr 24, 2026 | basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing | |
| CVE-2026-4800 | Hig | 8.1 | < 4.112.0-r2 | 4.112.0-r2 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2026-2950 | Med | 6.5 | < 4.112.0-r2 | 4.112.0-r2 | Mar 31, 2026 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca | |
| CVE-2026-33672 | Med | 5.3 | < 4.112.0-r2 | 4.112.0-r2 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions |
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: Undici: Information disclosure due to improper cache-control header parsing
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
- affected < 4.125.0-r2fixed 4.125.0-r2
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- CVE-2026-53655Jun 15, 2026affected < 4.124.2-r1fixed 4.124.2-r1
### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`
- CVE-2026-53550Jun 15, 2026affected < 4.124.2-r0fixed 4.124.2-r0
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 4.124.2-r0fixed 4.124.2-r0
### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea
- affected < 4.123.0-r2fixed 4.123.0-r2
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te
- affected < 4.121.0-r1fixed 4.121.0-r1
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
- affected < 4.121.0-r0fixed 4.121.0-r0
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
- affected < 4.112.0-r4fixed 4.112.0-r4
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p
- affected < 4.112.0-r4fixed 4.112.0-r4
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
- affected < 4.112.0-r3fixed 4.112.0-r3
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
- affected < 4.112.0-r3fixed 4.112.0-r3
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing
- affected < 4.112.0-r2fixed 4.112.0-r2
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- affected < 4.112.0-r2fixed 4.112.0-r2
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
- affected < 4.112.0-r2fixed 4.112.0-r2
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
Page 1 of 4