CVE-2025-4759 HIGH

CVE-2025-4759

Vendor N/A
Product lockfile-lint-api
Weakness CWE-179
Published May 16, 2025
Last update May 16, 2025

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P

What the vulnerability does

01Description

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

Key dates

02Disclosure timeline

May 16, 2025 CVE published
May 16, 2025 Record updated