VYPR

apk package

chainguard/kibana-9.1-bitnami

pkg:apk/chainguard/kibana-9.1-bitnami

Vulnerabilities (15)

  • CVE-2025-15284Dec 29, 2025
    affected < 9.1.9-r1fixed 9.1.9-r1

    Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim

  • CVE-2025-68665Dec 23, 2025
    affected < 9.1.9-r1fixed 9.1.9-r1

    LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify

  • CVE-2025-14874Dec 18, 2025
    affected < 9.1.7-r2fixed 9.1.7-r2

    A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

  • CVE-2025-68154Dec 16, 2025
    affected < 0fixed 0

    systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com

  • CVE-2025-65945Dec 4, 2025
    affected < 9.1.8-r2fixed 9.1.8-r2

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us

  • CVE-2025-66414Dec 2, 2025
    affected < 9.1.8-r1fixed 9.1.8-r1

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l

  • CVE-2025-66030Nov 26, 2025
    affected < 9.1.7-r2fixed 9.1.7-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.

  • CVE-2025-66031Nov 26, 2025
    affected < 9.1.7-r2fixed 9.1.7-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re

  • CVE-2025-12816Nov 25, 2025
    affected < 9.1.7-r2fixed 9.1.7-r2

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s

  • CVE-2025-13033HigNov 14, 2025
    affected < 9.1.5-r1fixed 9.1.5-r1

    A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m

  • CVE-2025-64718Nov 13, 2025
    affected < 9.1.7-r1fixed 9.1.7-r1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-11362Oct 7, 2025
    affected < 9.1.5-r0fixed 9.1.5-r0

    Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger

  • CVE-2025-57319HigSep 24, 2025
    affected < 0fixed 0

    fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia

  • CVE-2025-59343HigSep 24, 2025
    affected < 9.1.4-r0fixed 9.1.4-r0

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka

  • CVE-2025-54798Aug 7, 2025
    affected < 9.1.3-r0fixed 9.1.3-r0

    tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.