VYPR

apk package

chainguard/langfuse-3-worker

pkg:apk/chainguard/langfuse-3-worker

Vulnerabilities (129)

  • CVE-2026-39363HigApr 7, 2026
    affected < 3.179.1-r3fixed 3.179.1-r3

    Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine f

  • CVE-2026-35209HigApr 6, 2026
    affected < 3.164.0-r1fixed 3.164.0-r1

    defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vuln

  • CVE-2026-4800HigMar 31, 2026
    affected < 3.164.0-r1fixed 3.164.0-r1

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 3.164.0-r1fixed 3.164.0-r1

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33750MedMar 27, 2026
    affected < 3.164.0-r1fixed 3.164.0-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-33532MedMar 26, 2026
    affected < 3.164.0-r7fixed 3.164.0-r7

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct

  • CVE-2026-4923MedMar 26, 2026
    affected < 3.179.1-r3fixed 3.179.1-r3

    Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*

  • CVE-2026-33468HigMar 26, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ES

  • CVE-2026-33349Mar 24, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration

  • CVE-2026-33228Mar 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, a

  • CVE-2026-32887HigMar 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `Asy

  • CVE-2026-32763HigMar 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i

  • CVE-2026-2229Mar 12, 2026
    affected < 3.179.1-r1fixed 3.179.1-r1

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 3.179.1-r1fixed 3.179.1-r1

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1527Mar 12, 2026
    affected < 3.179.1-r1fixed 3.179.1-r1

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem

  • CVE-2026-1526Mar 12, 2026
    affected < 3.179.1-r1fixed 3.179.1-r1

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 3.179.1-r1fixed 3.179.1-r1

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-32141Mar 12, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus

  • CVE-2026-30827Mar 7, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6()

  • CVE-2026-27142MedMar 6, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

Page 4 of 7