GHSA-7CFR-5CJF-32P4 lockfile-lint-api Vulnerable to Incorrect Behavior Order

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

lockfile-lint-api Vulnerable to Incorrect Behavior Order

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

CVE-2025-4759 affects the lockfile-lint-api package. The root cause is an incorrect behavior order in URL validation (the resolved attribute) that can be bypassed by extending the package name, allowing installation of other npm packages beyond the intended one. Reported impact includes potential...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

lockfile linting 安全漏洞

lockfile linting is a tool by Liran Tal Personal Developer. A security vulnerability exists in lockfile linting versions prior to 5.9.2, which stems from package URL validation being out of order, and could lead to the installation of unintended npm packages...

PT-2025-21607 · Npm · Lockfile-Lint-Api

Name of the Vulnerable Software and Affected Versions: lockfile-lint-api versions prior to 5.9.2 Description: The issue concerns incorrect behavior order, specifically early validation, via the resolved attribute of the package URL validation. This can be bypassed by extending the package name,...

@lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) potentially affected by CVE-2025-4759 via lockfile-lint-api (=5.9.1)

lockfile-lint-api NPM version =5.9.1 is affected by a known vulnerability. The following packages have a transitive dependency on lockfile-lint-api and may be impacted: - @lavamoat/git-safe-dependencies =0.1.1, =0.2.1 Source cves: CVE-2025-4759 Source advisory: SNYK:JS-LOCKFILELINTAPI-10169587...

Incorrect Behavior Order: Early Validation

Overview lockfile-lint-api is a Lint an npm or yarn lockfile to analyze and detect issues Affected versions of this package are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name...

CVE-2024-38081

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability...

com.github.t1:wunderbar.demo.product (>=2.2.0 <=3.5.1), io.github.chains-project:maven-lockfile-github-action (>=1.0.1 <=5.5.1) +24 more potentially affected by CVE-2023-6394 via io.quarkus:quarkus-smallrye-graphql-client (>=2.14.0.CR1 <=3.5.2)

io.quarkus:quarkus-smallrye-graphql-client MAVEN version =2.14.0.CR1, =2.2.0, =1.0.1, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =1.3.0, =1.8.0, =1.8.0, =1.3.0, =1.3.0, =1.7.4, =1.8.0, =1.3.0, =1.3.0, =2.14.1 and more Source cves: CVE-2023-6394https://v...

GHSA-J44V-MMF2-XVM9 PDM Trojan Lockfile

Summary It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. Details Project foo can be targeted by creating the project foo-2 and uploading the fil...

CVE-2023-45805 Trojan Lockfilein pdm

pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project f...

CVE-2023-45805 Trojan Lockfilein pdm

pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project f...

SUSE CVE-2010-2024

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/...

SUSE CVE-2012-0420

zypp-refresh-wrapper in SUSE Zypper before 1.3.20 and 1.6.x before 1.6.166 allows local users to create files in arbitrary directories, or possibly have unspecified other impact, via a pathname in the ZYPPLOCKFILEROOT environment variable...

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

A China-based advanced persistent threat APT group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed Bronze Starlight by Secureworks, involves t...

Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool

This blog is part of our live coverage from RSA Conference 2022: Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor th...