CVE-2025-4759 — lockfile-lint-api Vulnerable to Incorrect Behavior Order

描述

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

如何修補 CVE-2025-4759

要修補 CVE-2025-4759,請將受影響套件升級到下列已修補版本。

—升級至 5.9.2 或更新版本

CVE-2025-4759 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 5.9.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

參考連結(7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-4759
PATCHgithub.com/lirantal/lockfile-lint
WEBgist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f
WEBgithub.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js#L51-L63