Home

Description

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

PUBLISHED Reserved 2025-11-02 | Published 2025-11-10 | Updated 2025-11-10 | Assigner snyk




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Problem types

Arbitrary Argument Injection

Credits

Patryk Konior

References

security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740

github.com/...ommit/ec4b65f2b3461365c569198ed6d2cfa61cca4050

github.com/cloudinary/cloudinary_npm/pull/709

cve.org (CVE-2025-12613)

nvd.nist.gov (CVE-2025-12613)

Download JSON