apk package
chainguard/gitlab-rails-ce-19.0
pkg:apk/chainguard/gitlab-rails-ce-19.0
Vulnerabilities (48)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-15558 | — | < 0 | 0 | Mar 4, 2026 | Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are | ||
| CVE-2025-68157 | — | < 19.0.3-r1 | 19.0.3-r1 | Feb 5, 2026 | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul | ||
| CVE-2025-68458 | — | < 19.0.3-r1 | 19.0.3-r1 | Feb 5, 2026 | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h | ||
| CVE-2025-13465 | Med | 5.3 | < 19.0.3-r1 | 19.0.3-r1 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | |
| CVE-2025-59288 | — | < 19.0.3-r1 | 19.0.3-r1 | Oct 14, 2025 | Improper verification of cryptographic signature in Github: Playwright allows an unauthorized attacker to perform spoofing over an adjacent network. | ||
| CVE-2025-59343 | Hig | — | < 19.0.3-r1 | 19.0.3-r1 | Sep 24, 2025 | tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka | |
| CVE-2025-7783 | Cri | — | < 19.0.3-r1 | 19.0.3-r1 | Jul 18, 2025 | Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. | |
| CVE-2025-48387 | Hig | — | < 19.0.3-r1 | 19.0.3-r1 | Jun 2, 2025 | tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o |
- CVE-2025-15558Mar 4, 2026affected < 0fixed 0
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
- CVE-2025-68157Feb 5, 2026affected < 19.0.3-r1fixed 19.0.3-r1
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul
- CVE-2025-68458Feb 5, 2026affected < 19.0.3-r1fixed 19.0.3-r1
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h
- affected < 19.0.3-r1fixed 19.0.3-r1
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2025-59288Oct 14, 2025affected < 19.0.3-r1fixed 19.0.3-r1
Improper verification of cryptographic signature in Github: Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.
- affected < 19.0.3-r1fixed 19.0.3-r1
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka
- affected < 19.0.3-r1fixed 19.0.3-r1
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
- affected < 19.0.3-r1fixed 19.0.3-r1
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o
Page 3 of 3