VYPR

rpm package

opensuse/velociraptor&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed

Vulnerabilities (85)

  • CVE-2025-6545CriJun 23, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

  • CVE-2025-5889LowJun 9, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2025-22872MedApr 16, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-24358MedApr 15, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl

  • CVE-2025-30204HigMar 21, 2025
    affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-22870MedMar 12, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-27152Mar 7, 2025
    affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-22868Feb 26, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2024-45339HigJan 28, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and

  • CVE-2024-45338MedDec 18, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-55565MedDec 9, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.

  • CVE-2024-21538HigNov 8, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted

  • CVE-2024-51744LowNov 4, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r

  • CVE-2024-48948Oct 15, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomal

  • CVE-2024-47875Oct 11, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

  • CVE-2024-48949Oct 10, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

  • CVE-2024-47068Sep 23, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can

  • CVE-2024-45812MedSep 17, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in