CVE-2025-4759 – lockfile-lint-api

Package

Manager: npm
Name: lockfile-lint-api
Vulnerable Version: >=0 <5.9.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P

EPSS: 0.00059 pctl0.18712

Details

lockfile-lint-api Vulnerable to Incorrect Behavior Order Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

Metadata

Created: 2025-05-16T06:30:24Z
Modified: 2025-05-16T21:45:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-7cfr-5cjf-32p4/GHSA-7cfr-5cjf-32p4.json
CWE IDs: ["CWE-179"]
Alternative ID: GHSA-7cfr-5cjf-32p4
Finding: F431
Auto approve: 1