14 matches found
EUVD-2025-15407
Malicious code in bioql PyPI...
Incorrect Behavior Order
lockfile-lint-api is vulnerable to Incorrect Behavior Order. The vulnerability is due to early validation of the resolved attribute in package URLs, which can be bypassed by extending the package name, allowing attackers to install unintended npm packages...
CVE-2025-4759
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
GHSA-7CFR-5CJF-32P4 lockfile-lint-api Vulnerable to Incorrect Behavior Order
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
lockfile-lint-api Vulnerable to Incorrect Behavior Order
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
@adpt/testutils (>=0.1.0-next.1 <=0.4.0-next.6), @lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) +6 more potentially affected by CVE-2025-4759 via lockfile-lint-api (>=1.0.7 <=5.9.1)
lockfile-lint-api NPM version =1.0.7, =0.1.0-next.1, =0.1.1, =1.0.0, =4.3.1-test1, =1.3.0, =1.0.1, =4.2.2, =4.3.1, =4.7.0 Source cves: CVE-2025-4759 Source advisory: OSV:GHSA-7CFR-5CJF-32P4...
CVE-2025-4759
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
CVE-2025-4759
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
CVE-2025-4759
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
CVE-2025-4759
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...
CVE-2025-4759
CVE-2025-4759 affects the lockfile-lint-api package. The root cause is an incorrect behavior order in URL validation (the resolved attribute) that can be bypassed by extending the package name, allowing installation of other npm packages beyond the intended one. Reported impact includes potential...
PT-2025-21607 · Npm · Lockfile-Lint-Api
Name of the Vulnerable Software and Affected Versions: lockfile-lint-api versions prior to 5.9.2 Description: The issue concerns incorrect behavior order, specifically early validation, via the resolved attribute of the package URL validation. This can be bypassed by extending the package name,...
@lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) potentially affected by CVE-2025-4759 via lockfile-lint-api (=5.9.1)
lockfile-lint-api NPM version =5.9.1 is affected by a known vulnerability. The following packages have a transitive dependency on lockfile-lint-api and may be impacted: - @lavamoat/git-safe-dependencies =0.1.1, =0.2.1 Source cves: CVE-2025-4759 Source advisory: SNYK:JS-LOCKFILELINTAPI-10169587...
Incorrect Behavior Order: Early Validation
Overview lockfile-lint-api is a Lint an npm or yarn lockfile to analyze and detect issues Affected versions of this package are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name...