CVE-2025-12613HIGH 8.6EPSS p23.4%

CVE-2025-12613CVE-2025-12613

Description

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior. **Note:** Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS0.32% probability of exploitation · percentile 23.4% · 2026-06-18T12:00:27Z
Published2025-11-10
Last modified2026-04-15

Underlying weaknesses· 1

CWE-88

References

  1. https://github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050
  2. https://github.com/cloudinary/cloudinary_npm/pull/709
  3. https://security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-12153
CVE
CVE-2025-12154
CVE
CVE-2025-4578
CVE
CVE-2025-8723
CVE
CVE-2025-12673
CVE
CVE-2025-12556
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.