VYPR

apk package

wolfi/code-server

pkg:apk/wolfi/code-server

Vulnerabilities (75)

  • CVE-2026-11525lowJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9678modJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-9697impJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-6734impJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

  • CVE-2026-12151impJun 17, 2026
    affected < 4.125.0-r2fixed 4.125.0-r2

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-53655Jun 15, 2026
    affected < 4.124.2-r1fixed 4.124.2-r1

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-53550Jun 15, 2026
    affected < 4.124.2-r0fixed 4.124.2-r0

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-48779higJun 15, 2026
    affected < 4.124.2-r0fixed 4.124.2-r0

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea

  • CVE-2026-9277HigMay 22, 2026
    affected < 4.123.0-r2fixed 4.123.0-r2

    shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te

  • CVE-2026-8723MedMay 17, 2026
    affected < 4.121.0-r1fixed 4.121.0-r1

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45736MedMay 15, 2026
    affected < 4.121.0-r0fixed 4.121.0-r0

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-44240HigMay 12, 2026
    affected < 4.112.0-r4fixed 4.112.0-r4

    basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p

  • CVE-2026-42338MedMay 12, 2026
    affected < 4.112.0-r4fixed 4.112.0-r4

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41907HigApr 24, 2026
    affected < 4.112.0-r3fixed 4.112.0-r3

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-41324HigApr 24, 2026
    affected < 4.112.0-r3fixed 4.112.0-r3

    basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing

  • CVE-2026-4800HigMar 31, 2026
    affected < 4.112.0-r2fixed 4.112.0-r2

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 4.112.0-r2fixed 4.112.0-r2

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33672MedMar 26, 2026
    affected < 4.112.0-r2fixed 4.112.0-r2

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

Page 1 of 4