Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f513b9a83c93 · 2025-11-27T09:00:04.000Z
GHSA-9g8m-v378-pcg3 GHSA-5hhx-v7f6-x7gv GHSA-98vj-mm79-v77r GHSA-fjf5-xgmq-5525
diff --git a/advisories/github-reviewed/2025/09/GHSA-9g8m-v378-pcg3/GHSA-9g8m-v378-pcg3.json b/advisories/github-reviewed/2025/09/GHSA-9g8m-v378-pcg3/GHSA-9g8m-v378-pcg3.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9g8m-v378-pcg3",
-  "modified": "2025-09-26T12:57:00Z",
+  "modified": "2025-11-27T08:57:14Z",
   "published": "2025-09-24T21:30:37Z",
   "aliases": [
     "CVE-2025-57324"
   ],
   "summary": "parse is vulnerable to prototype pollution",
-  "details": "parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
+  "details": "parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "last_affected": "6.1.1"
+              "fixed": "7.0.0-alpha.1"
             }
           ]
         }
@@ -40,6 +40,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57324"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/Parse-SDK-JS/commit/9e7c1bad472b1ed2463cbac567b8ec752ae5b4c9"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/parse%405.3.0/index.js"
diff --git a/advisories/github-reviewed/2025/11/GHSA-5hhx-v7f6-x7gv/GHSA-5hhx-v7f6-x7gv.json b/advisories/github-reviewed/2025/11/GHSA-5hhx-v7f6-x7gv/GHSA-5hhx-v7f6-x7gv.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5hhx-v7f6-x7gv",
-  "modified": "2025-11-19T20:33:10Z",
+  "modified": "2025-11-27T08:58:51Z",
   "published": "2025-11-19T20:33:10Z",
   "aliases": [
     "CVE-2025-65099"
   ],
   "summary": "Claude Code vulnerable to command execution prior to startup trust dialog",
-  "details": "When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. \n\nUsers on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!",
+  "details": "When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory running Yarn 3.0 or above. \n\nUsers on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2025/11/GHSA-98vj-mm79-v77r/GHSA-98vj-mm79-v77r.json b/advisories/github-reviewed/2025/11/GHSA-98vj-mm79-v77r/GHSA-98vj-mm79-v77r.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-98vj-mm79-v77r",
-  "modified": "2025-11-25T20:43:13Z",
+  "modified": "2025-11-27T08:59:22Z",
   "published": "2025-11-25T20:43:13Z",
   "aliases": [
     "CVE-2025-65960"
@@ -78,6 +78,10 @@
       "type": "WEB",
       "url": "https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65960"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/contao/contao/commit/577d7fdd5b1ca84f65f034ff556865422f0a3bd1"
@@ -106,6 +110,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-11-25T20:43:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-11-25T19:15:51Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/11/GHSA-fjf5-xgmq-5525/GHSA-fjf5-xgmq-5525.json b/advisories/github-reviewed/2025/11/GHSA-fjf5-xgmq-5525/GHSA-fjf5-xgmq-5525.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fjf5-xgmq-5525",
-  "modified": "2025-11-25T19:07:05Z",
+  "modified": "2025-11-27T08:59:10Z",
   "published": "2025-11-25T19:07:05Z",
   "aliases": [
     "CVE-2025-58360"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58360"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/geoserver/geoserver"
@@ -113,6 +117,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-11-25T19:07:05Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-11-25T21:15:56Z"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-9g8m-v378-pcg3",`
`4`		`- "modified": "2025-09-26T12:57:00Z",`
	`4`	`+ "modified": "2025-11-27T08:57:14Z",`
`5`	`5`	`"published": "2025-09-24T21:30:37Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-57324"`
`8`	`8`	`],`
`9`	`9`	`"summary": "parse is vulnerable to prototype pollution",`
`10`		`- "details": "parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",`
	`10`	`+ "details": "parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",`
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -28,7 +28,7 @@`
`28`	`28`	`"introduced": "0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "last_affected": "6.1.1"`
	`31`	`+ "fixed": "7.0.0-alpha.1"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`@@ -40,6 +40,10 @@`
`40`	`40`	`"type": "ADVISORY",`
`41`	`41`	`"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57324"`
`42`	`42`	`},`
	`43`	`+ {`
	`44`	`+ "type": "WEB",`
	`45`	`+ "url": "https://github.com/parse-community/Parse-SDK-JS/commit/9e7c1bad472b1ed2463cbac567b8ec752ae5b4c9"`
	`46`	`+ },`
`43`	`47`	`{`
`44`	`48`	`"type": "WEB",`
`45`	`49`	`"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/parse%405.3.0/index.js"`