VYPR

apk package

chainguard/jitsucom-jitsu-rotor

pkg:apk/chainguard/jitsucom-jitsu-rotor

Vulnerabilities (40)

  • CVE-2025-49005Jul 3, 2025
    affected < 2.10.0-r2fixed 2.10.0-r2

    Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Com

  • CVE-2025-48387HigJun 2, 2025
    affected < 2.10.0-r0fixed 2.10.0-r0

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o

  • CVE-2025-29927Mar 21, 2025
    affected < 2.9.0-r0fixed 2.9.0-r0

    Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware

  • CVE-2025-27789MedMar 11, 2025
    affected < 2.8.6-r3fixed 2.8.6-r3

    Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif

  • CVE-2025-27152Mar 7, 2025
    affected < 2.8.6-r2fixed 2.8.6-r2

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-22150MedJan 21, 2025
    affected < 2.8.6-r1fixed 2.8.6-r1

    Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat

  • CVE-2024-56332Jan 3, 2025
    affected < 2.8.5-r3fixed 2.8.5-r3

    Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Serve

  • CVE-2024-55565MedDec 9, 2024
    affected < 2.8.5-r0fixed 2.8.5-r0

    nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.

  • CVE-2024-47831Oct 14, 2024
    affected < 2.8.2-r1fixed 2.8.2-r1

    Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU con

  • CVE-2024-47764MedOct 4, 2024
    affected < 2.8.2-r2fixed 2.8.2-r2

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-46982Sep 17, 2024
    affected < 2.8.2-r1fixed 2.8.2-r1

    Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it

  • CVE-2024-39338Aug 9, 2024
    affected < 2.8.0-r1fixed 2.8.0-r1

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-37168MedJun 10, 2024
    affected < 2.7.0-r1fixed 2.7.0-r1

    @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` chann

  • CVE-2024-34351May 9, 2024
    affected < 2.8.0-r0fixed 2.8.0-r0

    Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able

  • CVE-2022-37620Oct 31, 2022
    affected < 2.8.4-r0fixed 2.8.4-r0

    A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.

  • CVE-2022-37601Oct 12, 2022
    affected < 2.11.0-r6fixed 2.11.0-r6

    Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

  • CVE-2021-42740Oct 21, 2021
    affected < 0fixed 0

    The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi

  • CVE-2018-3739CriJun 7, 2018
    affected < 0fixed 0

    https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

  • CVE-2016-10541CriMay 31, 2018
    affected < 0fixed 0

    The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

  • CVE-2015-9235CriMay 29, 2018
    affected < 0fixed 0

    In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

Page 2 of 2