CVE-2025-12613

Sažetak

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

Reference

https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050
https://github.com/cloudinary/cloudinary_npm/pull/709
https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740

CVSS

Base:	8.6
Impact:	4.7
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	HIGH	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Zadnje važnije ažuriranje

12-11-2025 - 16:19

Objavljeno

10-11-2025 - 05:15