ByteOS Network

CVE Vulnerability Details :

CVE-2025-14896

PUBLISHED

More Info Official Page

Assigner-snyk

Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730

Published At-18 Dec, 2025 | 16:20

Updated At-18 Dec, 2025 | 16:49

▼CVE Numbering Authority (CNA)

due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.

Affected Products

Vendor

yuzutech

Product

kroki

Versions

Affected

From 0 before * (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	Files or Directories Accessible to External Parties

Type: N/A

CWE ID: N/A

Description: Files or Directories Accessible to External Parties

Metrics

Version	Base score	Base severity	Vector
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0	8.7	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Version: 4.0

Base score: 8.7

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Credits

Catalin Iovita (Snyk Security Research)

References

Hyperlink	Resource
https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e	N/A

Hyperlink: https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References