CVE-2025-12613
Nov. 12, 2025, 4:19 p.m.
8.8
High
Description
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior.
**Note:**
Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.
Product(s) Impacted
| Product | Versions |
|---|---|
| cloudinary |
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component
in another control sphere, but it does not properly delimit the
intended arguments, options, or switches within that command string.
Tags
CVSS Score
CVSS Data - 4.0
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Attack Requirements: NONE
- Privileges Required: NONE
- User Interaction: NONE
- Scope:
- Confidentiality Impact: LOW
- Integrity Impact: HIGH
- Availability Impact: LOW
- Exploit Maturity: NOT_DEFINED
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Published: Nov. 10, 2025, 5:15 a.m.
Last Modified: Nov. 12, 2025, 4:19 p.m.
Last Modified: Nov. 12, 2025, 4:19 p.m.
Status : Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
More infoSource
report@snyk.io
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.