VYPR

apk package

chainguard/langfuse-fips-3

pkg:apk/chainguard/langfuse-fips-3

Vulnerabilities (81)

  • CVE-2026-9678modJun 17, 2026
    affected < 3.194.0-r0fixed 3.194.0-r0

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9697impJun 17, 2026
    affected < 3.194.0-r0fixed 3.194.0-r0

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-54285Jun 15, 2026
    affected < 3.195.0-r0fixed 3.195.0-r0

    ## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in

  • CVE-2026-48712higJun 15, 2026
    affected < 3.188.0-r0fixed 3.188.0-r0

    ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n

  • CVE-2026-54269Jun 15, 2026
    affected < 3.192.0-r0fixed 3.192.0-r0

    ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc

  • CVE-2026-53550Jun 15, 2026
    affected < 3.192.0-r0fixed 3.192.0-r0

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 3.188.0-r0fixed 3.188.0-r0

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-44494HigJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44489LowJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209

  • CVE-2026-48068higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-45149MedMay 29, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-45134HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize

  • CVE-2026-44902HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-8723MedMay 17, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45740MedMay 13, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-42338MedMay 12, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-42264HigMay 8, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

Page 1 of 5