Cloudinary Package Arbitrary Argument Injection Vulnerability

Vulnerability

A vulnerability allowing arbitrary argument injection has been identified in the Cloudinary package for Node.js, affecting versions prior to 2.7.0. The issue arises from improper parsing of parameter values that include an ampersand, which can lead to the injection of additional, unintended parameters. This vulnerability could be exploited to bypass security checks, alter data, or manipulate the application's behavior.

Impact

Exploitation of this vulnerability could result in arbitrary argument injection, allowing attackers to inject unintended parameters that could disrupt normal application functionality or bypass security measures.

Reproduction

The vulnerability can be reproduced by uploading a file with a 'notification_url' parameter that includes an ampersand. This will inject additional parameters into the request, which can be verified by checking the response or the behavior of the application.

Remediation

Users are advised to upgrade the Cloudinary package to version 2.7.0 or higher.

Added: Nov 10, 2025, 5:23 AM

Updated: Nov 10, 2025, 5:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.4

remediation

7.7

relevance

1.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.4

remediation

7.7

relevance

1.0

Cloudinary Package Arbitrary Argument Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating