๐Ÿ” CVE Alert

CVE-2025-12613

HIGH 8.6
CVSS Score
8.6
EPSS Score
0.4%
EPSS Percentile
28th

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

CWE CWE-88
Vendor n/a
Product cloudinary
Published Nov 10, 2025
Last Updated Jul 12, 2026
Stay Ahead of the Next One

Get instant alerts for n/a cloudinary

Be the first to know when new high vulnerabilities affecting n/a cloudinary are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Affected Versions

n/a / cloudinary
0 < 2.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740 github.com: https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050 github.com: https://github.com/cloudinary/cloudinary_npm/pull/709

Credits

Patryk Konior