VYPR

apk package

chainguard/langfuse-3

pkg:apk/chainguard/langfuse-3

Vulnerabilities (85)

  • CVE-2026-2391Feb 12, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2025-69873LowFeb 11, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp(

  • CVE-2025-68157Feb 5, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul

  • CVE-2025-68458Feb 5, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h

  • CVE-2025-68121CriFeb 5, 2026
    affected < 3.153.0-r0fixed 3.153.0-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 3.153.0-r0fixed 3.153.0-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2026-25536Feb 4, 2026
    affected < 3.153.0-r0fixed 3.153.0-r0

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in st

  • CVE-2026-25128Jan 30, 2026
    affected < 3.150.0-r0fixed 3.150.0-r0

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML

  • CVE-2025-61728Jan 28, 2026
    affected < 0fixed 0

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    affected < 0fixed 0

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-61730Jan 28, 2026
    affected < 3.149.0-r1fixed 3.149.0-r1

    During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i

  • CVE-2025-61731Jan 28, 2026
    affected < 3.149.0-r1fixed 3.149.0-r1

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can

  • CVE-2025-68119Jan 28, 2026
    affected < 3.149.0-r1fixed 3.149.0-r1

    Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are

  • CVE-2025-59472Jan 26, 2026
    affected < 3.150.0-r0fixed 3.150.0-r0

    A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data

  • CVE-2025-59471Jan 26, 2026
    affected < 3.153.0-r0fixed 3.153.0-r0

    A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing

  • CVE-2025-13465MedJan 21, 2026
    affected < 3.146.0-r2fixed 3.146.0-r2

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2026-22028Jan 8, 2026
    affected < 3.146.0-r0fixed 3.146.0-r0

    Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON paylo

  • CVE-2026-0621Jan 5, 2026
    affected < 3.145.0-r0fixed 3.145.0-r0

    Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching

  • CVE-2025-15284Dec 29, 2025
    affected < 3.143.0-r1fixed 3.143.0-r1

    Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim

  • CVE-2025-14874Dec 18, 2025
    affected < 3.135.1-r2fixed 3.135.1-r2

    A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

Page 4 of 5