EUVD-2025-198921

Malicious code in @postman/pm-bin-macos-arm64 npm...

Malicious code in @postman/pm-bin-macos-arm64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e9784306ff54e49967977f9fc58b5d335de3a19434cc7d7d277ee8097ef3079d The package @postman/pm-bin-macos-arm64 was found to contain malicious code. Source: google-open-source-security...

postman-cli (>=1.16.0-canary.1 <=1.24.2) potentially affected by unknown CVE via @postman/pm-bin-macos-arm64 (>=1.16.0-canary.1 <=1.24.2)

@postman/pm-bin-macos-arm64 NPM version =1.16.0-canary.1, =1.16.0-canary.1, =1.24.2 Source cves: unknown CVE Source advisory: SNYK:JS-POSTMANPMBINMACOSARM64-14103293...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free that could allow remote code execution when closing an HTTP/3 stream. An attacker can exploit a race condition when the application code is writing to the response body. Note: HTTP/3 is not enabled by default. This issue...

GHSA-23HG-53Q6-HQFG ImageMagick BlobStream Forward-Seek Under-Allocation

Reporter: Lumina Mescuwa Product: ImageMagick 7 MagickCore Component: MagickCore/blob.c Blob I/O - BlobStream Tested: 7.1.2-0 source tag and 7.1.2-1 Homebrew, macOS arm64, clang-17, Q16-HDRI Impact: Heap out-of-bounds WRITE attacker-controlled bytes at attacker-chosen offset → memory corruption;...

PT-2025-36602

Reporter: Lumina Mescuwa Product: ImageMagick 7 MagickCore Component: MagickCore/blob.c Blob I/O - BlobStream Tested: 7.1.2-0 source tag and 7.1.2-1 Homebrew, macOS arm64, clang-17, Q16-HDRI Impact: Heap out-of-bounds WRITE attacker-controlled bytes at attacker-chosen offset → memory corruption;...

Untrusted Search Path

Overview Affected versions of this package are vulnerable to Untrusted Search Path. An attacker can achieve remote code execution by planting malicious files on the victim's system, with knowledge of where they should be placed, then tricking a user to run these files. Remediation Upgrade...

Buffer Over-read

Overview Affected versions of this package are vulnerable to Buffer Over-read through the loading of a specially crafted file. Remediation Upgrade Microsoft.NETCore.App.Runtime.osx-arm64 to version 8.0.12, 9.0.1 or higher. References - GitHub Issue - GitHub Issue - Security Advisory...

@emberai/agent-node (>=1.1.0 <=1.2.0), @pnpm/beta (>=0.0.2-6.13.0 <=0.0.6-6.17.0) +1 more potentially affected by CVE-2023-37478 via @pnpm/macos-arm64 (>=0.0.2-6.13.0 <=7.33.3)

@pnpm/macos-arm64 NPM version =0.0.2-6.13.0, =1.1.0, =0.0.2-6.13.0, =6.17.1, =11.0.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...

@pnpm/exe (>=8.0.0 <=8.15.9) potentially affected by CVE-2023-37478 via @pnpm/macos-arm64 (>=8.0.0 <=8.6.7)

@pnpm/macos-arm64 NPM version =8.0.0, =8.0.0, =8.15.9 Source cves: CVE-2023-37478 Source advisory: OSV:GHSA-5R98-F33J-G8H7...

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE. A vulnerability exists in .NET source generator for P/Invokes that can lead to generated code freeing uninitialized memory and crashing. Remediation Upgrade Microsoft.NETCore.App.Runtime.osx-arm64 to version...

Privilege Escalation

Overview Affected versions of this package are vulnerable to Privilege Escalation. A vulnerability exists in .NET using extracting the contents of a Tar file which may result in elevation of privileges. Remediation Upgrade Microsoft.NETCore.App.Runtime.osx-arm64 to version 6.0.18, 7.0.7 or higher...