VYPR

apk package

wolfi/langfuse-compat

pkg:apk/wolfi/langfuse-compat

Vulnerabilities (20)

  • CVE-2025-65944MedNov 25, 2025
    affected < 3.134.0-r1fixed 3.134.0-r1

    Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentr

  • CVE-2025-13466MedNov 24, 2025
    affected < 3.134.0-r1fixed 3.134.0-r1

    body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and mem

  • CVE-2025-64756Nov 17, 2025
    affected < 0fixed 0

    Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.

  • CVE-2025-13033HigNov 14, 2025
    affected < 3.125.0-r0fixed 3.125.0-r0

    A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m

  • CVE-2025-64718Nov 13, 2025
    affected < 3.134.0-r0fixed 3.134.0-r0

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-62522MedOct 20, 2025
    affected < 3.121.0-r0fixed 3.121.0-r0

    Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent i

  • CVE-2025-59288Oct 14, 2025
    affected < 3.121.0-r0fixed 3.121.0-r0

    Improper verification of cryptographic signature in Github: Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.

  • CVE-2025-57319HigSep 24, 2025
    affected < 3.125.0-r0fixed 3.125.0-r0

    fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia

  • CVE-2025-59343HigSep 24, 2025
    affected < 3.113.0-r0fixed 3.113.0-r0

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka

  • CVE-2025-58754Sep 12, 2025
    affected < 3.110.0-r1fixed 3.110.0-r1

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-9910MedSep 11, 2025
    affected < 3.112.0-r0fixed 3.112.0-r0

    Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and th

  • CVE-2025-58752Sep 8, 2025
    affected < 3.110.0-r0fixed 3.110.0-r0

    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.ho

  • CVE-2025-58751Sep 8, 2025
    affected < 3.110.0-r0fixed 3.110.0-r0

    Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network

  • CVE-2025-57752Aug 29, 2025
    affected < 3.106.1-r1fixed 3.106.1-r1

    Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such

  • CVE-2025-55173Aug 29, 2025
    affected < 3.106.1-r1fixed 3.106.1-r1

    Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file download

  • CVE-2025-57822Aug 29, 2025
    affected < 3.106.1-r1fixed 3.106.1-r1

    Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. Thi

  • CVE-2025-54881MedAug 19, 2025
    affected < 3.102.0-r0fixed 3.102.0-r0

    Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed

  • CVE-2025-54880Aug 19, 2025
    affected < 3.102.0-r0fixed 3.102.0-r0

    Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed

  • CVE-2025-47907Aug 7, 2025
    affected < 0fixed 0

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-7783CriJul 18, 2025
    affected < 3.85.1-r1fixed 3.85.1-r1

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.