CVE-2025-12613
8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Summary
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. Note: Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | cloudinary | 0 < 2.7.0 | affected |
Weaknesses
- CWE-88: Arbitrary Argument Injection
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740
- https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050
- https://github.com/cloudinary/cloudinary_npm/pull/709
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.