Vulnerability-Lookup

RHSA-2026:2145

Vulnerability from csaf_redhat - Published: 2026-02-05 15:53 - Updated: 2026-02-11 15:13

Summary

Red Hat Security Advisory: Kiali 1.73.26 for Red Hat OpenShift Service Mesh 2.6

Notes

Topic

Kiali 1.73.26 for Red Hat OpenShift Service Mesh 2.6 This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Kiali 1.73.26, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently Security Fix(es): * kiali-ossmc-rhel8: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284) * kiali-rhel8: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284) * kiali-ossmc-rhel8: prototype pollution in _.unset and _.omit functions (CVE-2025-13465) * kiali-rhel8: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Kiali 1.73.26 for Red Hat OpenShift Service Mesh 2.6\n\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Kiali 1.73.26, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently\n\nSecurity Fix(es):\n\n* kiali-ossmc-rhel8: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)\n\n* kiali-rhel8: qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)\n\n* kiali-ossmc-rhel8: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)\n\n* kiali-rhel8: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:2145",
        "url": "https://access.redhat.com/errata/RHSA-2026:2145"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-13465",
        "url": "https://access.redhat.com/security/cve/CVE-2025-13465"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-15284",
        "url": "https://access.redhat.com/security/cve/CVE-2025-15284"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/cve-2025-13465",
        "url": "https://access.redhat.com/security/cve/cve-2025-13465"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/cve-2025-15284",
        "url": "https://access.redhat.com/security/cve/cve-2025-15284"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification",
        "url": "https://access.redhat.com/security/updates/classification"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2145.json"
      }
    ],
    "title": "Red Hat Security Advisory: Kiali 1.73.26 for Red Hat OpenShift Service Mesh 2.6",
    "tracking": {
      "current_release_date": "2026-02-11T15:13:36+00:00",
      "generator": {
        "date": "2026-02-11T15:13:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2026:2145",
      "initial_release_date": "2026-02-05T15:53:57+00:00",
      "revision_history": [
        {
          "date": "2026-02-05T15:53:57+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-02-05T15:54:01+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-11T15:13:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Service Mesh 2.6",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh 2.6",
                  "product_id": "Red Hat OpenShift Service Mesh 2.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_mesh:2.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Service Mesh"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256%3Af7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140470"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140426"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256%3Aad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140470"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140426"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256%3Aedc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140470"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140426"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256%3Ad16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140470"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3Aee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1770140426"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
          "product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13465",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2026-01-21T20:01:28.774829+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2431740"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "lodash: prototype pollution in _.unset and _.omit functions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user input to determine the path of the property to be removed. This issue only allows the deletion of properties but does not allow overwriting their behavior, limiting the impact to a denial of service. Due to this reason, this vulnerability has been rated with an important severity.\n\nIn Grafana, JavaScript code runs only in the browser, while the server side is all Golang. Therefore, the worst-case scenario is a loss of functionality in the client application inside the browser. To reflect this, the CVSS availability metric and the severity of the Grafana and the Grafana-PCP component have been updated to low and moderate, respectively.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "RHBZ#2431740",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-13465",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
          "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
        }
      ],
      "release_date": "2026-01-21T19:05:28.846000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-05T15:53:57+00:00",
          "details": "See Kiali 1.73.26 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2145"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "lodash: prototype pollution in _.unset and _.omit functions"
    },
    {
      "cve": "CVE-2025-15284",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-12-29T23:00:58.541337+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2425946"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "qs: qs: Denial of Service via improper input validation in array parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat products that utilize the `qs` module for parsing query strings, particularly when processing user-controlled input with bracket notation. The `arrayLimit` option, intended to prevent resource exhaustion, is bypassed when bracket notation (`a[]=value`) is used, allowing a remote attacker to cause a denial of service through memory exhaustion. This can lead to application crashes or unresponsiveness, making the service unavailable.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
          "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-15284"
        },
        {
          "category": "external",
          "summary": "RHBZ#2425946",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-15284",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9",
          "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p",
          "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
        }
      ],
      "release_date": "2025-12-29T22:56:45.240000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-05T15:53:57+00:00",
          "details": "See Kiali 1.73.26 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2145"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:4e910b08863756516707f2ad8198c04dc6d706c78f481561a3b2e896800d4dbe_amd64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:6851b4cf7f6da95b614431535c7c0c744dc441ff4abf9aaa203b46d652a529b9_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:9a867a9efe090c85cb5cd198e82663d87b1bc29061420def8cfe119c45c025fc_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:ee28a1278a21783acbda367a8f10d51dd81a7f4af5dcba64c1d58402bac0b43d_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ad1449f9047107c23d5b0e53c3ca148a12a9729dd7aa474c5eadb55870f314fa_arm64",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:d16be0b09ee231bda769ddb16cb781e2a0fefca42243ada15c8c176d5ba711a8_s390x",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:edc436424d55e4f8e0765ac59a4b2dcbd38dce49532db0bd917ca5b3c4526fac_ppc64le",
            "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:f7701158e0b0c3b0091d30be1dfe2fba73386160536929025504e903cf8c8bd9_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "qs: qs: Denial of Service via improper input validation in array parsing"
    }
  ]
}

CVE-2025-13465 (GCVE-0-2025-13465)

Vulnerability from cvelistv5 – Published: 2026-01-21 19:05 – Updated: 2026-01-21 19:43

Title

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Summary

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

openjs

References

URL

CVE-2025-15284 (GCVE-0-2025-15284)

Vulnerability from cvelistv5 – Published: 2025-12-29 22:56 – Updated: 2026-02-10 20:06

Title

arrayLimit bypass in bracket notation allows DoS via memory exhaustion

Summary

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly. Details The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoC const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000. Impact Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

harborist

References

URL

	Vendor	Product	Version
			Affected: < 6.14.1 (semver)

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:2145

CVE-2025-13465 (GCVE-0-2025-13465)

CVE-2025-15284 (GCVE-0-2025-15284)

Tags

Sightings

Nomenclature