VYPR

apk package

wolfi/langfuse-3

pkg:apk/wolfi/langfuse-3

Vulnerabilities (85)

  • CVE-2026-9678modJun 17, 2026
    affected < 3.194.0-r0fixed 3.194.0-r0

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9697impJun 17, 2026
    affected < 3.194.0-r0fixed 3.194.0-r0

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-54285Jun 15, 2026
    affected < 3.195.0-r0fixed 3.195.0-r0

    ## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in

  • CVE-2026-48712higJun 15, 2026
    affected < 3.188.0-r0fixed 3.188.0-r0

    ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply n

  • CVE-2026-54269Jun 15, 2026
    affected < 3.191.0-r0fixed 3.191.0-r0

    ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc

  • CVE-2026-53550Jun 15, 2026
    affected < 3.191.0-r0fixed 3.191.0-r0

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 3.188.0-r0fixed 3.188.0-r0

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-44494HigJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44489LowJun 11, 2026
    affected < 3.177.1-r0fixed 3.177.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209

  • CVE-2026-48068higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-45149MedMay 29, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-45134HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize

  • CVE-2026-44902HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-8723MedMay 17, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45740MedMay 13, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-42338MedMay 12, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41487MedMay 8, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the

Page 1 of 5