Vulnerability Description
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2
- https://github.com/cloudinary/cloudinary_npm/pull/709
- https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740
FAQ
What is CVE-2025-12613?
CVE-2025-12613 is a vulnerability with a CVSS score of 8.6 (HIGH). Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, u...
How severe is CVE-2025-12613?
CVE-2025-12613 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12613?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.