apk package
chainguard/vitess-24
pkg:apk/chainguard/vitess-24
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-11525 | low | 3.7 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9678 | mod | 5.9 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | |
| CVE-2026-9679 | mod | 5.9 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-9697 | imp | 7.4 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy | |
| CVE-2026-6734 | imp | 7.5 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing | |
| CVE-2026-12151 | imp | 7.5 | < 24.0.2-r1 | 24.0.2-r1 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-48988 | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea | ||
| CVE-2026-54271 | hig | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | ## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common ca | |
| CVE-2026-53663 | low | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cros | |
| CVE-2026-48712 | hig | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n | |
| CVE-2026-54269 | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc | ||
| CVE-2026-53550 | — | < 24.0.1-r4 | 24.0.1-r4 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-49356 | low | — | < 24.0.2-r2 | 24.0.2-r2 | Jun 15, 2026 | ## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code | |
| CVE-2026-49982 | Hig | 8.2 | < 24.0.1-r4 | 24.0.1-r4 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje | |
| CVE-2026-42342 | Hig | 7.5 | < 24.0.1-r2 | 24.0.1-r2 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, re | |
| CVE-2026-42211 | Hig | 8.1 | < 24.0.1-r2 | 24.0.1-r2 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing protot | |
| CVE-2026-40181 | Med | 6.1 | < 24.0.1-r2 | 24.0.1-r2 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The le | |
| CVE-2026-46598 | Med | 5.3 | < 0 | 0 | May 22, 2026 | For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. | |
| CVE-2026-46597 | Hig | 7.5 | < 0 | 0 | May 22, 2026 | An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. |
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: Undici: Information disclosure due to improper cache-control header parsing
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
- affected < 24.0.2-r1fixed 24.0.2-r1
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- CVE-2026-48988Jun 15, 2026affected < 24.0.1-r4fixed 24.0.1-r4
### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea
- affected < 24.0.1-r4fixed 24.0.1-r4
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common ca
- affected < 24.0.1-r4fixed 24.0.1-r4
Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cros
- affected < 24.0.1-r4fixed 24.0.1-r4
## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n
- CVE-2026-54269Jun 15, 2026affected < 24.0.1-r4fixed 24.0.1-r4
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc
- CVE-2026-53550Jun 15, 2026affected < 24.0.1-r4fixed 24.0.1-r4
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 24.0.2-r2fixed 24.0.2-r2
## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code
- affected < 24.0.1-r4fixed 24.0.1-r4
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje
- affected < 24.0.1-r2fixed 24.0.1-r2
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, re
- affected < 24.0.1-r2fixed 24.0.1-r2
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing protot
- affected < 24.0.1-r2fixed 24.0.1-r2
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The le
- affected < 0fixed 0
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
- affected < 0fixed 0
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
Page 1 of 2