CVE-2025-4759
Last modified
CVE-2025-4759 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.. EPSS estimates a 0.35% chance of exploitation in the next 30 days.
Description
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lirantal | Lockfile-Lint-Api | < 5.9.2 |
References
- https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-4759?
How severe is CVE-2025-4759?
How do I fix CVE-2025-4759?
Are you affected by CVE-2025-4759?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST