VYPR

apk package

wolfi/json-server

pkg:apk/wolfi/json-server

Vulnerabilities (8)

  • CVE-2026-8723MedMay 17, 2026
    affected < 0.17.4-r7fixed 0.17.4-r7

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-4800HigMar 31, 2026
    affected < 0.17.4-r6fixed 0.17.4-r6

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 0.17.4-r6fixed 0.17.4-r6

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-4867HigMar 26, 2026
    affected < 0.17.4-r6fixed 0.17.4-r6

    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu

  • CVE-2026-2391Feb 12, 2026
    affected < 0.17.4-r5fixed 0.17.4-r5

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2025-13465MedJan 21, 2026
    affected < 0.17.4-r4fixed 0.17.4-r4

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-15284Dec 29, 2025
    affected < 0.17.4-r3fixed 0.17.4-r3

    Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim

  • CVE-2025-7339LowJul 17, 2025
    affected < 0.17.4-r2fixed 0.17.4-r2

    on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receiv