VYPR

apk package

chainguard/kubeflow-pipelines-frontend

pkg:apk/chainguard/kubeflow-pipelines-frontend

Vulnerabilities (135)

  • CVE-2025-66031Nov 26, 2025
    affected < 2.15.0-r0fixed 2.15.0-r0

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re

  • CVE-2025-12816Nov 25, 2025
    affected < 2.15.0-r0fixed 2.15.0-r0

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s

  • CVE-2025-47914Nov 19, 2025
    affected < 2.14.4-r1fixed 2.14.4-r1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 2.14.4-r1fixed 2.14.4-r1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-64718Nov 13, 2025
    affected < 2.14.4-r1fixed 2.14.4-r1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-62157Oct 14, 2025
    affected < 2.14.3-r3fixed 2.14.3-r3

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack

  • CVE-2025-62156Oct 14, 2025
    affected < 2.14.3-r3fixed 2.14.3-r3

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack

  • CVE-2025-58754Sep 12, 2025
    affected < 2.14.3-r1fixed 2.14.3-r1

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-7783CriJul 18, 2025
    affected < 2.15.0-r1fixed 2.15.0-r1

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

  • CVE-2025-50182Jun 19, 2025
    affected < 2.5.0-r4fixed 2.5.0-r4

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 2.5.0-r4fixed 2.5.0-r4

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2025-5889LowJun 9, 2025
    affected < 2.5.0-r3fixed 2.5.0-r3

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2024-47081MedJun 9, 2025
    affected < 0fixed 0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-32997Apr 15, 2025
    affected < 2.14.3-r3fixed 2.14.3-r3

    In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.

  • CVE-2025-32996Apr 15, 2025
    affected < 2.14.3-r3fixed 2.14.3-r3

    In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.

  • CVE-2025-29786HigMar 17, 2025
    affected < 2.4.0-r9fixed 2.4.0-r9

    Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression

  • CVE-2025-22870MedMar 12, 2025
    affected < 2.4.0-r8fixed 2.4.0-r8

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-27152Mar 7, 2025
    affected < 2.4.0-r5fixed 2.4.0-r5

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-22868Feb 26, 2025
    affected < 2.4.0-r6fixed 2.4.0-r6

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 2.4.0-r5fixed 2.4.0-r5

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Page 3 of 7