VYPR

apk package

wolfi/sqlpad-compat

pkg:apk/wolfi/sqlpad-compat

Vulnerabilities (35)

  • CVE-2025-65945Dec 4, 2025
    affected < 7.5.7-r4fixed 7.5.7-r4

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us

  • CVE-2025-12758Nov 27, 2025
    affected < 7.5.7-r4fixed 7.5.7-r4

    Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to impr

  • CVE-2025-64756Nov 17, 2025
    affected < 0fixed 0

    Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.

  • CVE-2025-56200Sep 30, 2025
    affected < 7.5.7-r2fixed 7.5.7-r2

    A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by

  • CVE-2025-57319HigSep 24, 2025
    affected < 0fixed 0

    fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia

  • CVE-2025-59343HigSep 24, 2025
    affected < 7.5.7-r1fixed 7.5.7-r1

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka

  • CVE-2025-57350Sep 24, 2025
    affected < 7.5.7-r2fixed 7.5.7-r2

    The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in

  • CVE-2025-54369CriJul 24, 2025
    affected < 7.5.6-r1fixed 7.5.6-r1

    Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an att

  • CVE-2025-7783CriJul 18, 2025
    affected < 7.5.4-r4fixed 7.5.4-r4

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

  • CVE-2025-7339LowJul 17, 2025
    affected < 7.5.4-r3fixed 7.5.4-r3

    on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receiv

  • CVE-2025-5889LowJun 9, 2025
    affected < 7.5.4-r0fixed 7.5.4-r0

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2025-48387HigJun 2, 2025
    affected < 7.5.3-r2fixed 7.5.3-r2

    tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o

  • CVE-2024-12905HigMar 27, 2025
    affected < 7.5.3-r1fixed 7.5.3-r1

    An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrit

  • CVE-2025-29775CriMar 14, 2025
    affected < 7.5.2-r2fixed 7.5.2-r2

    xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed

  • CVE-2025-29774CriMar 14, 2025
    affected < 7.5.2-r2fixed 7.5.2-r2

    xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed

  • CVE-2024-52798HigDec 5, 2024
    affected < 7.5.2-r0fixed 7.5.2-r0

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path

  • CVE-2024-21538HigNov 8, 2024
    affected < 7.5.1-r1fixed 7.5.1-r1

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted

  • CVE-2024-47764MedOct 4, 2024
    affected < 7.5.2-r2fixed 7.5.2-r2

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-45590Sep 10, 2024
    affected < 7.5.0-r1fixed 7.5.0-r1

    body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is

  • CVE-2024-43800Sep 10, 2024
    affected < 7.5.0-r1fixed 7.5.0-r1

    serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

Page 1 of 2