CVE-2025-12613: Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand

November 10, 2025 (updated November 12, 2025)

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application’s behavior.

Note: Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven’t received a response.

References

github.com/advisories/GHSA-g4mf-96x5-5m2c
github.com/cloudinary/cloudinary_npm
github.com/cloudinary/cloudinary_npm/commit/ec4b65f2b3461365c569198ed6d2cfa61cca4050
github.com/cloudinary/cloudinary_npm/pull/709
nvd.nist.gov/vuln/detail/CVE-2025-12613
security.snyk.io/vuln/SNYK-JS-CLOUDINARY-10495740

Code Behaviors & Features

Detect and mitigate CVE-2025-12613 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →