GHSA-g4mf-96x5-5m2c

Source

https://github.com/advisories/GHSA-g4mf-96x5-5m2c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-g4mf-96x5-5m2c/GHSA-g4mf-96x5-5m2c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g4mf-96x5-5m2c

Aliases

CVE-2025-12613

Published

2025-11-10T06:30:26Z

Modified

2025-11-13T00:27:47.202936Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand

Details

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior.

Note: Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

Database specific

{
    "nvd_published_at": "2025-11-10T05:15:42Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-88"
    ],
    "github_reviewed_at": "2025-11-12T23:41:30Z"
}

References

Affected packages

npm / cloudinary

Package

Name: cloudinary; View open source insights on deps.dev
Purl: pkg:npm/cloudinary

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-g4mf-96x5-5m2c/GHSA-g4mf-96x5-5m2c.json"