apk package
chainguard/saf
pkg:apk/chainguard/saf
Vulnerabilities (72)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-11525 | low | 3.7 | < 1.6.0-r2 | 1.6.0-r2 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 1.6.0-r2 | 1.6.0-r2 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9679 | mod | 5.9 | < 1.6.0-r2 | 1.6.0-r2 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-12151 | imp | 7.5 | < 1.6.0-r2 | 1.6.0-r2 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-53655 | — | < 1.6.0-r1 | 1.6.0-r1 | Jun 15, 2026 | ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (` | ||
| CVE-2026-53550 | — | < 1.6.0-r1 | 1.6.0-r1 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-12143 | Hig | 7.5 | < 1.6.0-r1 | 1.6.0-r1 | Jun 12, 2026 | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee | |
| CVE-2026-49982 | Hig | 8.2 | < 1.6.0-r1 | 1.6.0-r1 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje | |
| CVE-2026-44705 | Hig | 8.2 | < 1.6.0-r0 | 1.6.0-r0 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal | |
| CVE-2026-46625 | Hig | 7.5 | < 1.6.0-r0 | 1.6.0-r0 | Jun 10, 2026 | JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o | |
| CVE-2026-8723 | Med | 5.3 | < 1.6.0-r0 | 1.6.0-r0 | May 17, 2026 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). | |
| CVE-2026-42338 | Med | 6.1 | < 1.6.0-r0 | 1.6.0-r0 | May 12, 2026 | ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi | |
| CVE-2026-42264 | Hig | 7.4 | < 1.6.0-r0 | 1.6.0-r0 | May 8, 2026 | Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert | |
| CVE-2026-41650 | Med | 6.1 | < 1.6.0-r0 | 1.6.0-r0 | May 7, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This | |
| CVE-2026-41675 | Hig | — | < 1.6.0-r0 | 1.6.0-r0 | May 7, 2026 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be seriali | |
| CVE-2026-41674 | Hig | — | < 1.6.0-r0 | 1.6.0-r0 | May 7, 2026 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, syste | |
| CVE-2026-41673 | Hig | — | < 1.6.0-r0 | 1.6.0-r0 | May 7, 2026 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A suffic | |
| CVE-2026-41672 | Hig | — | < 1.6.0-r0 | 1.6.0-r0 | May 7, 2026 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML | |
| CVE-2026-6322 | Hig | 7.5 | < 1.5.3-r1 | 1.5.3-r1 | May 5, 2026 | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw | |
| CVE-2026-6321 | Hig | 7.5 | < 1.5.3-r1 | 1.5.3-r1 | May 4, 2026 | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize |
- affected < 1.6.0-r2fixed 1.6.0-r2
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 1.6.0-r2fixed 1.6.0-r2
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 1.6.0-r2fixed 1.6.0-r2
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 1.6.0-r2fixed 1.6.0-r2
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- CVE-2026-53655Jun 15, 2026affected < 1.6.0-r1fixed 1.6.0-r1
### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`
- CVE-2026-53550Jun 15, 2026affected < 1.6.0-r1fixed 1.6.0-r1
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 1.6.0-r1fixed 1.6.0-r1
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee
- affected < 1.6.0-r1fixed 1.6.0-r1
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje
- affected < 1.6.0-r0fixed 1.6.0-r0
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal
- affected < 1.6.0-r0fixed 1.6.0-r0
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o
- affected < 1.6.0-r0fixed 1.6.0-r0
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
- affected < 1.6.0-r0fixed 1.6.0-r0
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
- affected < 1.6.0-r0fixed 1.6.0-r0
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert
- affected < 1.6.0-r0fixed 1.6.0-r0
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
- affected < 1.6.0-r0fixed 1.6.0-r0
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be seriali
- affected < 1.6.0-r0fixed 1.6.0-r0
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, syste
- affected < 1.6.0-r0fixed 1.6.0-r0
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A suffic
- affected < 1.6.0-r0fixed 1.6.0-r0
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML
- affected < 1.5.3-r1fixed 1.5.3-r1
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw
- affected < 1.5.3-r1fixed 1.5.3-r1
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
Page 1 of 4