CVE-2025-12613
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-11-12
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudinary | cloudinary_npm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects versions of the cloudinary package before 2.7.0 and is due to improper parsing of parameter values containing an ampersand. This allows an attacker to perform Arbitrary Argument Injection by injecting additional, unintended parameters into the application. As a result, the attacker can manipulate the application's behavior, potentially bypass security checks or alter data.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to bypass security checks, alter data, or manipulate the application's behavior in unintended ways. This could lead to unauthorized actions, data corruption, or other malicious outcomes depending on how the application uses the injected parameters.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the cloudinary package to version 2.7.0 or later, as versions before 2.7.0 are vulnerable to Arbitrary Argument Injection. Avoid using vulnerable versions and monitor for any unusual behavior related to parameter parsing in your application.