apk package

chainguard/seaweedfs-operator

pkg:apk/chainguard/seaweedfs-operator

Vulnerabilities (31)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-58186	Med	5.3	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
CVE-2025-58183	Med	4.3	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-61724		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
CVE-2025-58188		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
CVE-2025-58185		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
CVE-2025-47912		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
CVE-2025-61723		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
CVE-2025-58189		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
CVE-2025-58187		—	< 1.0.5-r1	1.0.5-r1	Oct 29, 2025	Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
CVE-2024-40120		—	< 1.0.6-r0	1.0.6-r0	May 16, 2025	seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go.
CVE-2023-36308		—	< 1.0.6-r0	1.0.6-r0	Sep 5, 2023	disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any

CVE-2025-58186MedOct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
CVE-2025-58183MedOct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-61724Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
CVE-2025-58188Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
CVE-2025-58185Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
CVE-2025-47912Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
CVE-2025-61723Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
CVE-2025-58189Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
CVE-2025-58187Oct 29, 2025
affected < 1.0.5-r1fixed 1.0.5-r1
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
CVE-2024-40120May 16, 2025
affected < 1.0.6-r0fixed 1.0.6-r0
seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go.
CVE-2023-36308Sep 5, 2023
affected < 1.0.6-r0fixed 1.0.6-r0
disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any

Page 2 of 2