apk package

chainguard/vitess-18.0-binaries

pkg:apk/chainguard/vitess-18.0-binaries

Vulnerabilities (23)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2025-4673	Med	6.8		< 18.0.8-r15	18.0.8-r15	Jun 11, 2025	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874	Hig	7.5		< 18.0.8-r15	18.0.8-r15	Jun 11, 2025	Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565		—		< 18.0.8-r14	18.0.8-r14	May 1, 2025	Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872	Med	6.5		< 18.0.8-r13	18.0.8-r13	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395	Med	—		< 18.0.8-r12	18.0.8-r12	Apr 10, 2025	Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486	Med	5.3		< 18.0.8-r11	18.0.8-r11	Apr 3, 2025	Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125		—	KEV	< 18.0.8-r10	18.0.8-r10	Mar 31, 2025	Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208		—		< 18.0.8-r9	18.0.8-r9	Mar 24, 2025	Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22870	Med	4.4		< 18.0.8-r8	18.0.8-r8	Mar 12, 2025	Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-27789	Med	6.2		< 18.0.8-r8	18.0.8-r8	Mar 11, 2025	Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif
CVE-2025-22868		—		< 18.0.8-r7	18.0.8-r7	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869		—		< 18.0.8-r7	18.0.8-r7	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866	Med	4.0		< 18.0.8-r5	18.0.8-r5	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45339	Hig	7.1		< 18.0.8-r4	18.0.8-r4	Jan 28, 2025	When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2025-24010		—		< 18.0.8-r3	18.0.8-r3	Jan 20, 2025	Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6
CVE-2024-45338	Med	5.3		< 18.0.8-r2	18.0.8-r2	Dec 18, 2024	An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337	Cri	9.1		< 18.0.8-r1	18.0.8-r1	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565	Med	4.3		< 18.0.8-r2	18.0.8-r2	Dec 9, 2024	nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-21538	Hig	7.5		< 18.0.8-r2	18.0.8-r2	Nov 8, 2024	Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
CVE-2024-47764	Med	—		< 18.0.8-r2	18.0.8-r2	Oct 4, 2024	cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

CVE-2025-4673MedJun 11, 2025
affected < 18.0.8-r15fixed 18.0.8-r15
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874HigJun 11, 2025
affected < 18.0.8-r15fixed 18.0.8-r15
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565May 1, 2025
affected < 18.0.8-r14fixed 18.0.8-r14
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872MedApr 16, 2025
affected < 18.0.8-r13fixed 18.0.8-r13
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395MedApr 10, 2025
affected < 18.0.8-r12fixed 18.0.8-r12
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486MedApr 3, 2025
affected < 18.0.8-r11fixed 18.0.8-r11
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125KEVMar 31, 2025
affected < 18.0.8-r10fixed 18.0.8-r10
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208Mar 24, 2025
affected < 18.0.8-r9fixed 18.0.8-r9
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22870MedMar 12, 2025
affected < 18.0.8-r8fixed 18.0.8-r8
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-27789MedMar 11, 2025
affected < 18.0.8-r8fixed 18.0.8-r8
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif
CVE-2025-22868Feb 26, 2025
affected < 18.0.8-r7fixed 18.0.8-r7
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869Feb 26, 2025
affected < 18.0.8-r7fixed 18.0.8-r7
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866MedFeb 6, 2025
affected < 18.0.8-r5fixed 18.0.8-r5
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45339HigJan 28, 2025
affected < 18.0.8-r4fixed 18.0.8-r4
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2025-24010Jan 20, 2025
affected < 18.0.8-r3fixed 18.0.8-r3
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6
CVE-2024-45338MedDec 18, 2024
affected < 18.0.8-r2fixed 18.0.8-r2
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337CriDec 12, 2024
affected < 18.0.8-r1fixed 18.0.8-r1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565MedDec 9, 2024
affected < 18.0.8-r2fixed 18.0.8-r2
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-21538HigNov 8, 2024
affected < 18.0.8-r2fixed 18.0.8-r2
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
CVE-2024-47764MedOct 4, 2024
affected < 18.0.8-r2fixed 18.0.8-r2
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

Page 1 of 2