VYPR

apk package

chainguard/pelias-api

pkg:apk/chainguard/pelias-api

Vulnerabilities (30)

  • CVE-2026-4867HigMar 26, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu

  • CVE-2026-2229Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1527Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem

  • CVE-2026-2581Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler

  • CVE-2026-1526Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 7.6.0-r4fixed 7.6.0-r4

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-26996Feb 20, 2026
    affected < 7.6.0-r3fixed 7.6.0-r3

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-2391Feb 12, 2026
    affected < 7.6.0-r2fixed 7.6.0-r2

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2025-13465MedJan 21, 2026
    affected < 7.6.0-r1fixed 7.6.0-r1

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

Page 2 of 2