VYPR

apk package

wolfi/lerna

pkg:apk/wolfi/lerna

Vulnerabilities (65)

  • CVE-2026-42036MedApr 24, 2026
    affected < 9.0.7-r4fixed 9.0.7-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream c

  • CVE-2026-42035HigApr 24, 2026
    affected < 9.0.7-r4fixed 9.0.7-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability ex

  • CVE-2026-42034MedApr 24, 2026
    affected < 9.0.7-r4fixed 9.0.7-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets

  • CVE-2026-42033HigApr 24, 2026
    affected < 9.0.7-r4fixed 9.0.7-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON respo

  • CVE-2026-40175MedApr 10, 2026
    affected < 9.0.7-r3fixed 9.0.7-r3

    Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound

  • CVE-2025-62718CriApr 9, 2026
    affected < 9.0.7-r3fixed 9.0.7-r3

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_

  • CVE-2026-33941HigMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i

  • CVE-2026-33940HigMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar

  • CVE-2026-33939HigMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")

  • CVE-2026-33938HigMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec

  • CVE-2026-33937CriMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge

  • CVE-2026-33916MedMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-33750MedMar 27, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-33672MedMar 26, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

  • CVE-2026-33671HigMar 26, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c

  • CVE-2026-33532MedMar 26, 2026
    affected < 9.0.7-r2fixed 9.0.7-r2

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct

  • CVE-2026-31802Mar 9, 2026
    affected < 9.0.7-r1fixed 9.0.7-r1

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-29786Mar 7, 2026
    affected < 9.0.7-r1fixed 9.0.7-r1

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar

  • CVE-2026-27904Feb 26, 2026
    affected < 9.0.5-r1fixed 9.0.5-r1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 9.0.5-r1fixed 9.0.5-r1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a