VYPR

apk package

wolfi/cloudflared

pkg:apk/wolfi/cloudflared

Vulnerabilities (52)

  • CVE-2026-25679HigMar 6, 2026
    affected < 2026.3.0-r0fixed 2026.3.0-r0

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-69725MedFeb 19, 2026
    affected < 0fixed 0

    An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain.

  • CVE-2026-24051HigFeb 2, 2026
    affected < 0fixed 0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2025-68151Jan 8, 2026
    affected < 2026.2.0-r0fixed 2026.2.0-r0

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many

  • CVE-2025-47914Nov 19, 2025
    affected < 2025.11.1-r1fixed 2025.11.1-r1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 2025.11.1-r1fixed 2025.11.1-r1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-58063HigSep 9, 2025
    affected < 2026.2.0-r0fixed 2026.2.0-r0

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do

  • CVE-2025-47950Jun 6, 2025
    affected < 0fixed 0

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any lim

  • CVE-2025-22872MedApr 16, 2025
    affected < 2025.4.0-r1fixed 2025.4.0-r1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-22870MedMar 12, 2025
    affected < 2025.2.1-r3fixed 2025.2.1-r3

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22868Feb 26, 2025
    affected < 2025.2.1-r1fixed 2025.2.1-r1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 2025.2.1-r2fixed 2025.2.1-r2

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-22866MedFeb 6, 2025
    affected < 2025.2.0-r0fixed 2025.2.0-r0

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover

  • CVE-2024-45338MedDec 18, 2024
    affected < 2024.12.2-r1fixed 2024.12.2-r1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 2024.12.1-r1fixed 2024.12.1-r1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-53259MedDec 2, 2024
    affected < 2024.12.1-r0fixed 2024.12.1-r0

    quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a

  • CVE-2024-34158HigSep 6, 2024
    affected < 2024.1.0-r13fixed 2024.1.0-r13

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 2024.1.0-r13fixed 2024.1.0-r13

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 2024.1.0-r13fixed 2024.1.0-r13

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-24791HigJul 2, 2024
    affected < 2024.1.0-r12fixed 2024.1.0-r12

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co