CVE-2025-4759 (GCVE-0-2025-4759)

Vulnerability from cvelistv5 – Published: 2025-05-16 05:00 – Updated: 2025-05-16 17:39
VLAI?
Summary
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.
Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P
CWE
  • CWE-179 - Incorrect Behavior Order: Early Validation
Assigner
References
Impacted products
Vendor Product Version
n/a lockfile-lint-api Affected: 0 , < 5.9.2 (semver)
Credits
Xavier Bruni
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4759",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-16T17:37:10.232472Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-16T17:39:24.899Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lockfile-lint-api",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "5.9.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Xavier Bruni"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P",
            "version": "3.1"
          },
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-179",
              "description": "Incorrect Behavior Order: Early Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-16T05:00:04.621Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587"
        },
        {
          "url": "https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f"
        },
        {
          "url": "https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63"
        },
        {
          "url": "https://github.com/lirantal/lockfile-lint/pull/204"
        },
        {
          "url": "https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2025-4759",
    "datePublished": "2025-05-16T05:00:04.621Z",
    "dateReserved": "2025-05-15T09:39:15.877Z",
    "dateUpdated": "2025-05-16T17:39:24.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-4759\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2025-05-16T05:15:38.297\",\"lastModified\":\"2025-06-03T15:57:29.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.\"},{\"lang\":\"es\",\"value\":\"Las versiones del paquete lockfile-lint-api anteriores a 5.9.2 son vulnerables a Orden de comportamiento incorrecto: validaci\u00f3n temprana a trav\u00e9s del atributo resuelto de la validaci\u00f3n de URL del paquete, que se puede omitir extendiendo el nombre del paquete, lo que permite que un atacante instale otros paquetes npm distintos al deseado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-179\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lirantal:lockfile-lint-api:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"5.9.2\",\"matchCriteriaId\":\"430CF412-E04B-45AD-AA7F-36344793D04E\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63\",\"source\":\"report@snyk.io\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/lirantal/lockfile-lint/pull/204\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4759\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-16T17:37:10.232472Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-16T17:37:20.716Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Xavier Bruni\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"exploitCodeMaturity\": \"PROOF_OF_CONCEPT\", \"confidentialityImpact\": \"LOW\"}, \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P\", \"exploitMaturity\": \"PROOF_OF_CONCEPT\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"lockfile-lint-api\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.9.2\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587\"}, {\"url\": \"https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f\"}, {\"url\": \"https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63\"}, {\"url\": \"https://github.com/lirantal/lockfile-lint/pull/204\"}, {\"url\": \"https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-179\", \"description\": \"Incorrect Behavior Order: Early Validation\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2025-05-16T05:00:04.621Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-4759\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-16T17:39:24.899Z\", \"dateReserved\": \"2025-05-15T09:39:15.877Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2025-05-16T05:00:04.621Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.