Description

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

INFO

Published Date :

2025-05-16T05:00:04.621Z

Last Modified :

2025-05-16T17:39:24.899Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-4759 vulnerability.

Vendors Products
Lirantal
  • Lockfile-lint-api
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-4759.

URL Resource
https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f cve-icon cve-icon
https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63 cve-icon cve-icon
https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca cve-icon cve-icon
https://github.com/lirantal/lockfile-lint/pull/204 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact