apk package
wolfi/langfuse-3-worker
pkg:apk/wolfi/langfuse-3-worker
Vulnerabilities (129)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14874 | — | < 3.135.1-r2 | 3.135.1-r2 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-68130 | Hig | — | < 3.141.0-r0 | 3.141.0-r0 | Dec 16, 2025 | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the | |
| CVE-2025-65945 | — | < 3.138.0-r0 | 3.138.0-r0 | Dec 4, 2025 | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us | ||
| CVE-2025-66414 | — | < 3.137.0-r1 | 3.137.0-r1 | Dec 2, 2025 | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l | ||
| CVE-2025-66400 | — | < 3.137.0-r1 | 3.137.0-r1 | Dec 1, 2025 | mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the p | ||
| CVE-2025-62522 | Med | — | < 3.179.1-r3 | 3.179.1-r3 | Oct 20, 2025 | Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent i | |
| CVE-2025-58752 | — | < 3.179.1-r3 | 3.179.1-r3 | Sep 8, 2025 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.ho | ||
| CVE-2025-58751 | — | < 3.179.1-r3 | 3.179.1-r3 | Sep 8, 2025 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network | ||
| CVE-2025-5889 | Low | 3.1 | < 3.179.1-r3 | 3.179.1-r3 | Jun 9, 2025 | A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l |
- CVE-2025-14874Dec 18, 2025affected < 3.135.1-r2fixed 3.135.1-r2
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- affected < 3.141.0-r0fixed 3.141.0-r0
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the
- CVE-2025-65945Dec 4, 2025affected < 3.138.0-r0fixed 3.138.0-r0
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us
- CVE-2025-66414Dec 2, 2025affected < 3.137.0-r1fixed 3.137.0-r1
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l
- CVE-2025-66400Dec 1, 2025affected < 3.137.0-r1fixed 3.137.0-r1
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the p
- affected < 3.179.1-r3fixed 3.179.1-r3
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent i
- CVE-2025-58752Sep 8, 2025affected < 3.179.1-r3fixed 3.179.1-r3
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.ho
- CVE-2025-58751Sep 8, 2025affected < 3.179.1-r3fixed 3.179.1-r3
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network
- affected < 3.179.1-r3fixed 3.179.1-r3
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
Page 7 of 7