apk package
chainguard/langfuse-web-compat
pkg:apk/chainguard/langfuse-web-compat
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-15284 | — | < 3.143.0-r1 | 3.143.0-r1 | Dec 29, 2025 | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim | ||
| CVE-2025-14874 | — | < 3.135.1-r2 | 3.135.1-r2 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-68130 | Hig | — | < 3.141.0-r0 | 3.141.0-r0 | Dec 16, 2025 | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the | |
| CVE-2025-65945 | — | < 3.138.0-r0 | 3.138.0-r0 | Dec 4, 2025 | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us | ||
| CVE-2025-66414 | — | < 3.137.0-r1 | 3.137.0-r1 | Dec 2, 2025 | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l | ||
| CVE-2025-66400 | — | < 3.137.0-r1 | 3.137.0-r1 | Dec 1, 2025 | mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the p |
- CVE-2025-15284Dec 29, 2025affected < 3.143.0-r1fixed 3.143.0-r1
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim
- CVE-2025-14874Dec 18, 2025affected < 3.135.1-r2fixed 3.135.1-r2
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- affected < 3.141.0-r0fixed 3.141.0-r0
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the
- CVE-2025-65945Dec 4, 2025affected < 3.138.0-r0fixed 3.138.0-r0
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us
- CVE-2025-66414Dec 2, 2025affected < 3.137.0-r1fixed 3.137.0-r1
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l
- CVE-2025-66400Dec 1, 2025affected < 3.137.0-r1fixed 3.137.0-r1
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the p