VYPR

apk package

chainguard/vitess-24

pkg:apk/chainguard/vitess-24

Vulnerabilities (31)

  • CVE-2026-11525lowJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9678modJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-9697impJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-6734impJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

  • CVE-2026-12151impJun 17, 2026
    affected < 24.0.2-r1fixed 24.0.2-r1

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-48988Jun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea

  • CVE-2026-54271higJun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    ## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common ca

  • CVE-2026-53663lowJun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cros

  • CVE-2026-48712higJun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n

  • CVE-2026-54269Jun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc

  • CVE-2026-53550Jun 15, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-49356lowJun 15, 2026
    affected < 24.0.2-r2fixed 24.0.2-r2

    ## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code

  • CVE-2026-49982HigJun 11, 2026
    affected < 24.0.1-r4fixed 24.0.1-r4

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje

  • CVE-2026-42342HigJun 2, 2026
    affected < 24.0.1-r2fixed 24.0.1-r2

    React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, re

  • CVE-2026-42211HigJun 2, 2026
    affected < 24.0.1-r2fixed 24.0.1-r2

    React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing protot

  • CVE-2026-40181MedJun 2, 2026
    affected < 24.0.1-r2fixed 24.0.1-r2

    React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The le

  • CVE-2026-46598MedMay 22, 2026
    affected < 0fixed 0

    For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

  • CVE-2026-46597HigMay 22, 2026
    affected < 0fixed 0

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Page 1 of 2