VYPR

apk package

wolfi/kubeflow-centraldashboard

pkg:apk/wolfi/kubeflow-centraldashboard

Vulnerabilities (79)

  • CVE-2025-7339LowJul 17, 2025
    affected < 1.10.0-r3fixed 1.10.0-r3

    on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receiv

  • CVE-2025-5889LowJun 9, 2025
    affected < 1.10.0-r1fixed 1.10.0-r1

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2025-27152Mar 7, 2025
    affected < 1.9.2-r5fixed 1.9.2-r5

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-1302CriFeb 15, 2025
    affected < 1.9.2-r5fixed 1.9.2-r5

    Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an

  • CVE-2024-52798HigDec 5, 2024
    affected < 1.9.2-r3fixed 1.9.2-r3

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path

  • CVE-2024-21534CriOct 11, 2024
    affected < 1.9.2-r4fixed 1.9.2-r4

    All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i

  • CVE-2024-47764MedOct 4, 2024
    affected < 1.9.1-r1fixed 1.9.1-r1

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-45590Sep 10, 2024
    affected < 1.9.0-r4fixed 1.9.0-r4

    body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is

  • CVE-2024-43800Sep 10, 2024
    affected < 1.9.0-r4fixed 1.9.0-r4

    serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

  • CVE-2024-43799Sep 10, 2024
    affected < 1.9.0-r4fixed 1.9.0-r4

    Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

  • CVE-2024-43796Sep 10, 2024
    affected < 1.9.0-r4fixed 1.9.0-r4

    Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

  • CVE-2024-45296HigSep 9, 2024
    affected < 1.9.0-r3fixed 1.9.0-r3

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will

  • CVE-2024-39338Aug 9, 2024
    affected < 1.9.0-r1fixed 1.9.0-r1

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-37890HigJun 17, 2024
    affected < 1.8.0-r5fixed 1.8.0-r5

    ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e

  • CVE-2024-37168MedJun 10, 2024
    affected < 1.8.0-r5fixed 1.8.0-r5

    @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` chann

  • CVE-2024-29041Mar 25, 2024
    affected < 1.8.0-r3fixed 1.8.0-r3

    Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres

  • CVE-2024-28849Mar 14, 2024
    affected < 1.8.0-r3fixed 1.8.0-r3

    follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which

  • CVE-2023-26159Jan 2, 2024
    affected < 1.8.0-r1fixed 1.8.0-r1

    Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this

  • CVE-2019-10790Feb 17, 2020
    affected < 1.10.0-r19fixed 1.10.0-r19

    taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. Howev

Page 4 of 4