CVE-2025-4759

HIGH

Package Lockfile-Lint-API <5.9.2 - Info Disclosure

Title source: llm

Description

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

References (5)

Core 5

Core References

Exploit

https://gist.github.com/Xavier59/881aef04940970dc3e738dcbff64151f

Broken Link

https://github.com/lirantal/lockfile-lint/blob/89b5cad028df4d77bab2b73ac93bc61e392668ab/packages/lockfile-lint-api/src/validators/ValidatePackageNames.js%23L51-L63

Patch

https://github.com/lirantal/lockfile-lint/commit/9e5305bd3e4f0c6acc0d23ec43eac2bd5303b4ca

View Patch ZIP pw:eip

Patch

https://github.com/lirantal/lockfile-lint/pull/204

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-LOCKFILELINTAPI-10169587

Scores

CVSS v3 8.3

EPSS 0.0018

EPSS Percentile 38.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-179

Status published

Products (2)

lirantal/lockfile-lint-api < 5.9.2

npm/lockfile-lint-api 0 - 5.9.2npm

Published May 16, 2025

Tracked Since Feb 18, 2026