Vulnerability-Lookup

CVE-2025-64718 (GCVE-0-2025-64718)

Vulnerability from cvelistv5 – Published: 2025-11-13 15:32 – Updated: 2026-01-29 22:08

Title

js-yaml has prototype pollution in merge (<<)

Summary

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nodeca/js-yaml/security/adviso…	x_refsource_CONFIRM
	https://github.com/nodeca/js-yaml/issues/730#issu…	x_refsource_MISC
	https://github.com/nodeca/js-yaml/commit/383665ff…	x_refsource_MISC
	https://github.com/nodeca/js-yaml/commit/5278870a…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nodeca	js-yaml	Affected: >= 4.0.0, < 4.1.1 Affected: < 3.14.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64718",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-13T16:18:01.997938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-13T16:18:39.270Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-21T14:38:16.644Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "js-yaml",
          "vendor": "nodeca",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.1"
            },
            {
              "status": "affected",
              "version": "\u003c 3.14.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-29T22:08:30.431Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m"
        },
        {
          "name": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876"
        },
        {
          "name": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
        },
        {
          "name": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
        }
      ],
      "source": {
        "advisory": "GHSA-mh29-5h37-fv8m",
        "discovery": "UNKNOWN"
      },
      "title": "js-yaml has prototype pollution in merge (\u003c\u003c)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64718",
    "datePublished": "2025-11-13T15:32:44.634Z",
    "dateReserved": "2025-11-10T14:07:42.922Z",
    "dateUpdated": "2026-01-29T22:08:30.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/advisories/GHSA-mh29-5h37-fv8m\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-01-21T14:38:16.644Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64718\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-13T16:18:01.997938Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-13T16:18:34.960Z\"}}], \"cna\": {\"title\": \"js-yaml has prototype pollution in merge (\u003c\u003c)\", \"source\": {\"advisory\": \"GHSA-mh29-5h37-fv8m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nodeca\", \"product\": \"js-yaml\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.1.1\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.14.2\"}]}], \"references\": [{\"url\": \"https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m\", \"name\": \"https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876\", \"name\": \"https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879\", \"name\": \"https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266\", \"name\": \"https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-29T22:08:30.431Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64718\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-29T22:08:30.431Z\", \"dateReserved\": \"2025-11-10T14:07:42.922Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-13T15:32:44.634Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-MH29-5H37-FV8M

Vulnerability from github – Published: 2025-11-14 14:29 – Updated: 2026-01-31 03:32

Summary

js-yaml has prototype pollution in merge (<<)

Details

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T14:29:48Z",
    "nvd_published_at": "2025-11-13T16:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 4.1.1 and 3.14.2.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html",
  "id": "GHSA-mh29-5h37-fv8m",
  "modified": "2026-01-31T03:32:42Z",
  "published": "2025-11-14T14:29:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodeca/js-yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "js-yaml has prototype pollution in merge (\u003c\u003c)"
}

FKIE_CVE-2025-64718

Vulnerability from fkie_nvd - Published: 2025-11-13 16:15 - Updated: 2026-02-02 12:54

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879	Patch
security-advisories@github.com	https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266	Patch
security-advisories@github.com	https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876	Issue Tracking
security-advisories@github.com	https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-mh29-5h37-fv8m	Vendor Advisory

Impacted products

	Vendor	Product	Version
	nodeca	js-yaml	*
	nodeca	js-yaml	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "8CAC7EC0-C471-4811-A77C-2DD5B47C7F46",
              "versionEndExcluding": "3.14.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodeca:js-yaml:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "B56B6076-0668-4DDC-8B01-C48019081B13",
              "versionEndExcluding": "4.1.1",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default)."
    }
  ],
  "id": "CVE-2025-64718",
  "lastModified": "2026-02-02T12:54:45.340",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-13T16:15:57.153",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CERTFR-2026-AVI-0112

Vulnerability from certfr_avis - Published: 2026-02-02 - Updated: 2026-02-02

De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu Platform	Foundation Core pour VMware Tanzu Platform versions antérieures à 3.1.7
VMware	Tanzu Kubernetes Grid Integrated Edition	Tanzu Kubernetes Grid Integrated Edition (TKGi) - Mgmt Console versions antérieures à 1.24.0
VMware	Tanzu Platform	Isolation Segmentation pour VMware Tanzu Platform versions antérieures à 10.2.7+LTS-T
VMware	N/A	NodeJS Buildpack versions antérieures à 1.8.74
VMware	Tanzu Platform	Foundation Core pour VMware Tanzu Platform versions antérieures à 3.2.3
VMware	Tanzu Platform	Telemetry pour VMware Tanzu Platform versions antérieures à 2.4.0
VMware	N/A	Platform Automation Toolkit versions antérieures à 5.4.0
VMware	N/A	VMware Harbor Registry versions antérieures à 2.14.0
VMware	Tanzu Platform	Isolation Segmentation pour VMware Tanzu Platform versions antérieures à 10.3.4

References

Title

Publication Time

Tags

Bulletin de sécurité VMware 36902	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36908	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36897	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36912	2026-02-01	vendor-advisory
Bulletin de sécurité VMware 36904	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36900	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36903	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36909	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36899	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36906	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36907	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36901	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36905	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36898	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36910	2026-02-02	vendor-advisory
Bulletin de sécurité VMware 36911	2026-02-02	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Foundation Core pour VMware Tanzu Platform versions ant\u00e9rieures \u00e0 3.1.7",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu Kubernetes Grid Integrated Edition (TKGi) - Mgmt Console versions ant\u00e9rieures \u00e0 1.24.0",
      "product": {
        "name": "Tanzu Kubernetes Grid Integrated Edition",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Isolation Segmentation pour VMware Tanzu Platform versions ant\u00e9rieures \u00e0 10.2.7+LTS-T",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "NodeJS Buildpack versions ant\u00e9rieures \u00e0 1.8.74",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Foundation Core pour VMware Tanzu Platform versions ant\u00e9rieures \u00e0 3.2.3",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Telemetry pour VMware Tanzu Platform versions ant\u00e9rieures \u00e0  2.4.0",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Platform Automation Toolkit versions ant\u00e9rieures \u00e0 5.4.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Harbor Registry versions ant\u00e9rieures \u00e0 2.14.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Isolation Segmentation pour VMware Tanzu Platform versions ant\u00e9rieures \u00e0 10.3.4",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-8715",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8715"
    },
    {
      "name": "CVE-2025-53547",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53547"
    },
    {
      "name": "CVE-2025-58183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
    },
    {
      "name": "CVE-2025-9231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9231"
    },
    {
      "name": "CVE-2025-68973",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-68973"
    },
    {
      "name": "CVE-2025-10148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-10148"
    },
    {
      "name": "CVE-2025-14087",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14087"
    },
    {
      "name": "CVE-2025-22872",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22872"
    },
    {
      "name": "CVE-2025-28164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-28164"
    },
    {
      "name": "CVE-2025-0913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0913"
    },
    {
      "name": "CVE-2025-47907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
    },
    {
      "name": "CVE-2026-24882",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24882"
    },
    {
      "name": "CVE-2023-45288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
    },
    {
      "name": "CVE-2025-6075",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6075"
    },
    {
      "name": "CVE-2025-22228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
    },
    {
      "name": "CVE-2025-58185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58185"
    },
    {
      "name": "CVE-2025-55752",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55752"
    },
    {
      "name": "CVE-2025-58767",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58767"
    },
    {
      "name": "CVE-2024-38819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
    },
    {
      "name": "CVE-2025-55198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55198"
    },
    {
      "name": "CVE-2025-15284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
    },
    {
      "name": "CVE-2026-1485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1485"
    },
    {
      "name": "CVE-2022-49390",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-49390"
    },
    {
      "name": "CVE-2025-48060",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48060"
    },
    {
      "name": "CVE-2025-21855",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21855"
    },
    {
      "name": "CVE-2024-21510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21510"
    },
    {
      "name": "CVE-2025-14512",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14512"
    },
    {
      "name": "CVE-2025-8291",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8291"
    },
    {
      "name": "CVE-2025-61921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61921"
    },
    {
      "name": "CVE-2023-34231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34231"
    },
    {
      "name": "CVE-2025-61727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61727"
    },
    {
      "name": "CVE-2025-64718",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
    },
    {
      "name": "CVE-2024-28180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
    },
    {
      "name": "CVE-2025-65637",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-65637"
    },
    {
      "name": "CVE-2025-22233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22233"
    },
    {
      "name": "CVE-2025-47910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47910"
    },
    {
      "name": "CVE-2024-38820",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
    },
    {
      "name": "CVE-2025-10966",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-10966"
    },
    {
      "name": "CVE-2025-47906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
    },
    {
      "name": "CVE-2025-31133",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31133"
    },
    {
      "name": "CVE-2025-64505",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64505"
    },
    {
      "name": "CVE-2025-58188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58188"
    },
    {
      "name": "CVE-2025-4674",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4674"
    },
    {
      "name": "CVE-2022-29526",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29526"
    },
    {
      "name": "CVE-2025-65945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-65945"
    },
    {
      "name": "CVE-2025-28162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-28162"
    },
    {
      "name": "CVE-2025-55754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55754"
    },
    {
      "name": "CVE-2025-64506",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64506"
    },
    {
      "name": "CVE-2025-52881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-52881"
    },
    {
      "name": "CVE-2025-22868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
    },
    {
      "name": "CVE-2025-3360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-3360"
    },
    {
      "name": "CVE-2025-64720",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64720"
    },
    {
      "name": "CVE-2025-61724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61724"
    },
    {
      "name": "CVE-2025-61723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61723"
    },
    {
      "name": "CVE-2025-9232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9232"
    },
    {
      "name": "CVE-2025-61795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
    },
    {
      "name": "CVE-2025-14762",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14762"
    },
    {
      "name": "CVE-2025-8713",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8713"
    },
    {
      "name": "CVE-2025-66471",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
    },
    {
      "name": "CVE-2026-21441",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-53427",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53427"
    },
    {
      "name": "CVE-2025-61725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61725"
    },
    {
      "name": "CVE-2025-65018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-65018"
    },
    {
      "name": "CVE-2025-7039",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7039"
    },
    {
      "name": "CVE-2025-12818",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12818"
    },
    {
      "name": "CVE-2025-48989",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
    },
    {
      "name": "CVE-2026-24842",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
    },
    {
      "name": "CVE-2025-22874",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22874"
    },
    {
      "name": "CVE-2025-55199",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55199"
    },
    {
      "name": "CVE-2025-61594",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61594"
    },
    {
      "name": "CVE-2025-47912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47912"
    },
    {
      "name": "CVE-2025-11414",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-11414"
    },
    {
      "name": "CVE-2025-54410",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54410"
    },
    {
      "name": "CVE-2025-52565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
    },
    {
      "name": "CVE-2026-24883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24883"
    },
    {
      "name": "CVE-2025-39964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39964"
    },
    {
      "name": "CVE-2025-39993",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39993"
    },
    {
      "name": "CVE-2025-58186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58186"
    },
    {
      "name": "CVE-2025-8714",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8714"
    },
    {
      "name": "CVE-2025-9086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9086"
    },
    {
      "name": "CVE-2025-58187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58187"
    },
    {
      "name": "CVE-2025-13601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13601"
    },
    {
      "name": "CVE-2025-12817",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12817"
    },
    {
      "name": "CVE-2025-4673",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4673"
    },
    {
      "name": "CVE-2025-22871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
    },
    {
      "name": "CVE-2024-38828",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
    },
    {
      "name": "CVE-2025-6966",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6966"
    },
    {
      "name": "CVE-2025-58181",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58181"
    },
    {
      "name": "CVE-2025-8959",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8959"
    },
    {
      "name": "CVE-2025-47914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47914"
    },
    {
      "name": "CVE-2025-40018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-40018"
    },
    {
      "name": "CVE-2024-53218",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53218"
    },
    {
      "name": "CVE-2025-67499",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-67499"
    },
    {
      "name": "CVE-2025-58058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58058"
    },
    {
      "name": "CVE-2025-22869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
    },
    {
      "name": "CVE-2025-58189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58189"
    },
    {
      "name": "CVE-2025-22870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
    },
    {
      "name": "CVE-2025-11413",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-11413"
    },
    {
      "name": "CVE-2024-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-23337"
    },
    {
      "name": "CVE-2025-61748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61748"
    },
    {
      "name": "CVE-2025-22235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22235"
    },
    {
      "name": "CVE-2025-9230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
    },
    {
      "name": "CVE-2025-7339",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7339"
    },
    {
      "name": "CVE-2024-53090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53090"
    },
    {
      "name": "CVE-2025-8916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8916"
    },
    {
      "name": "CVE-2025-23419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23419"
    },
    {
      "name": "CVE-2025-8885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8885"
    },
    {
      "name": "CVE-2025-41249",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
    },
    {
      "name": "CVE-2025-11412",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-11412"
    },
    {
      "name": "CVE-2026-1484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1484"
    },
    {
      "name": "CVE-2025-7424",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7424"
    },
    {
      "name": "CVE-2024-50067",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50067"
    },
    {
      "name": "CVE-2024-47220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47220"
    },
    {
      "name": "CVE-2025-54388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54388"
    },
    {
      "name": "CVE-2026-1489",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1489"
    },
    {
      "name": "CVE-2026-24881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24881"
    },
    {
      "name": "CVE-2025-41242",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41242"
    },
    {
      "name": "CVE-2024-38816",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38816"
    },
    {
      "name": "CVE-2025-53057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
    },
    {
      "name": "CVE-2025-6442",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6442"
    },
    {
      "name": "CVE-2025-53066",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
    },
    {
      "name": "CVE-2016-1000027",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
    },
    {
      "name": "CVE-2025-61729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
    },
    {
      "name": "CVE-2025-11494",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-11494"
    },
    {
      "name": "CVE-2024-47691",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47691"
    },
    {
      "name": "CVE-2025-66418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
    }
  ],
  "initial_release_date": "2026-02-02T00:00:00",
  "last_revision_date": "2026-02-02T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0112",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-02-02T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits VMware",
  "vendor_advisories": [
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36902",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36902"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36908",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36908"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36897",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36897"
    },
    {
      "published_at": "2026-02-01",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36912",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36912"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36904",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36904"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36900",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36900"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36903",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36903"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36909",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36909"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36899",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36899"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36906",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36906"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36907",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36907"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36901",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36901"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36905",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36905"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36898",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36898"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36910",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36910"
    },
    {
      "published_at": "2026-02-02",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 36911",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36911"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64718 (GCVE-0-2025-64718)

GHSA-MH29-5H37-FV8M

Impact

Patches

Workarounds

References

FKIE_CVE-2025-64718

CERTFR-2026-AVI-0112

Solutions

Tags

Sightings

Nomenclature