CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f
https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63
https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca
https://github.com/lirantal/lockfile-lint/pull/204
https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587

Configurations

No configuration.

History

16 May 2025, 14:42

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete lockfile-lint-api anteriores a 5.9.2 son vulnerables a Orden de comportamiento incorrecto: validación temprana a través del atributo resuelto de la validación de URL del paquete, que se puede omitir extendiendo el nombre del paquete, lo que permite que un atacante instale otros paquetes npm distintos al deseado.

16 May 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-16 05:15

Updated : 2025-05-16 14:42

NVD link : CVE-2025-4759

Mitre link : CVE-2025-4759

CVE.ORG link : CVE-2025-4759

JSON object : View

Products Affected

No product.

CWE

CWE-179

Incorrect Behavior Order: Early Validation

{"id": "CVE-2025-4759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-16T05:15:38.297", "references": [{"url": "https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f", "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63", "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca", "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/pull/204", "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587", "source": "report@snyk.io"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-179"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one."}, {"lang": "es", "value": "Las versiones del paquete lockfile-lint-api anteriores a 5.9.2 son vulnerables a Orden de comportamiento incorrecto: validaci\u00f3n temprana a trav\u00e9s del atributo resuelto de la validaci\u00f3n de URL del paquete, que se puede omitir extendiendo el nombre del paquete, lo que permite que un atacante instale otros paquetes npm distintos al deseado."}], "lastModified": "2025-05-16T14:42:18.700", "sourceIdentifier": "report@snyk.io"}