VYPR

apk package

wolfi/wasm-pack

pkg:apk/wolfi/wasm-pack

Vulnerabilities (5)

  • CVE-2026-33056Mar 20, 2026
    affected < 0.14.0-r4fixed 0.14.0-r4

    tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,

  • CVE-2026-33055Mar 20, 2026
    affected < 0.14.0-r4fixed 0.14.0-r4

    tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz

  • CVE-2026-25727Feb 6, 2026
    affected < 0.14.0-r3fixed 0.14.0-r3

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.13.1-r2fixed 0.13.1-r2

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-29787HigMar 17, 2025
    affected < 0.13.1-r3fixed 0.13.1-r3

    `zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used f