CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f	Exploit
https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63	Broken Link
https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca	Patch
https://github.com/lirantal/lockfile-lint/pull/204	Patch
https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lirantal:lockfile-lint-api:*:*:*:*:*:node.js:*:*

History

03 Jun 2025, 15:57

Type	Values Removed	Values Added
First Time		Lirantal lockfile-lint-api Lirantal
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:lirantal:lockfile-lint-api::::::node.js::*
References	~~() https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f -~~	() https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f - Exploit
References	~~() https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63 -~~	() https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63 - Broken Link
References	~~() https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca -~~	() https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca - Patch
References	~~() https://github.com/lirantal/lockfile-lint/pull/204 -~~	() https://github.com/lirantal/lockfile-lint/pull/204 - Patch
References	~~() https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587 -~~	() https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587 - Third Party Advisory

16 May 2025, 14:42

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete lockfile-lint-api anteriores a 5.9.2 son vulnerables a Orden de comportamiento incorrecto: validación temprana a través del atributo resuelto de la validación de URL del paquete, que se puede omitir extendiendo el nombre del paquete, lo que permite que un atacante instale otros paquetes npm distintos al deseado.

16 May 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-16 05:15

Updated : 2025-06-03 15:57

NVD link : CVE-2025-4759

Mitre link : CVE-2025-4759

CVE.ORG link : CVE-2025-4759

JSON object : View

Products Affected

lirantal

lockfile-lint-api

CWE

CWE-179

Incorrect Behavior Order: Early Validation

NVD-CWE-noinfo

{"id": "CVE-2025-4759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-16T05:15:38.297", "references": [{"url": "https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f", "tags": ["Exploit"], "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63", "tags": ["Broken Link"], "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/lirantal/lockfile-lint/pull/204", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-179"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one."}, {"lang": "es", "value": "Las versiones del paquete lockfile-lint-api anteriores a 5.9.2 son vulnerables a Orden de comportamiento incorrecto: validaci\u00f3n temprana a trav\u00e9s del atributo resuelto de la validaci\u00f3n de URL del paquete, que se puede omitir extendiendo el nombre del paquete, lo que permite que un atacante instale otros paquetes npm distintos al deseado."}], "lastModified": "2025-06-03T15:57:29.763", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lirantal:lockfile-lint-api:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "430CF412-E04B-45AD-AA7F-36344793D04E", "versionEndExcluding": "5.9.2"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}

8.3 /10