CVE-2025-12613
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: Snyk

Description
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudinary cloudinary_npm *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects versions of the cloudinary package before 2.7.0 and is due to improper parsing of parameter values containing an ampersand. This allows an attacker to perform Arbitrary Argument Injection by injecting additional, unintended parameters into the application. As a result, the attacker can manipulate the application's behavior, potentially bypass security checks or alter data.

Impact Analysis

The vulnerability can impact you by allowing attackers to bypass security checks, alter data, or manipulate the application's behavior in unintended ways. This could lead to unauthorized actions, data corruption, or other malicious outcomes depending on how the application uses the injected parameters.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the cloudinary package to version 2.7.0 or later, as versions before 2.7.0 are vulnerable to Arbitrary Argument Injection. Avoid using vulnerable versions and monitor for any unusual behavior related to parameter parsing in your application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12613. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart