-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cloudinary | npm | < 2.7.0 | 2.7.0 |
Miggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-12613, is an Arbitrary Argument Injection flaw in the Cloudinary Node.js SDK. The root cause is the improper handling of ampersand characters ('&') within parameter values during the API request signing process. The core of the vulnerability is in the api_sign_request function located in lib/utils/index.js. This function would concatenate parameter keys and values into a single string to be signed, using '&' as a delimiter. It did not, however, encode ampersands that were part of the parameter values. This allowed an attacker to inject new key-value pairs into the signed request. For instance, by providing a notification_url like https://example.com?p1=v1&extra_param=value, an attacker could cause the server to process extra_param=value as a legitimate, signed parameter.
The patch introduces a new signature versioning system. The new default signature version (v2) properly encodes parameter values before they are included in the string-to-sign, mitigating the injection vulnerability. The old, vulnerable behavior is retained as signature version 1 for backward compatibility, specifically for response verification in PreloadedFile.is_valid via the new verify_api_response_signature helper. Any function that builds and signs API requests, such as cloudinary.v2.uploader.upload, would have been an entry point for this vulnerability.