Severity

Critical

CVSSv3 Range

9.4

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Issue Date

2025-07-24

Updated on

nodejs-offline-buildpack

CVE-2025-4517 (Critical)

routing

CVE-2025-22871 (Critical)

capi

GHSA-g85v-wf27-67xc (CVE-2024-52587) (High)

uaa 

credhub

GHSA-hq9p-pm7w-8p54 (CVE-2025-49146) (High)

diego

CVE-2024-53427 (High)

garden-runc

GHSA-cm76-qm8v-3j95 (CVE-2025-47290) (High)

java-offline-buildpack

GHSA-vv7r-c36w-3prj (CVE-2025-48976) (High)

push-apps-manager-release

GHSA-xffm-g5w8-qvg7 (No known CVE) (High)

java-offline-buildpack

GHSA-4jrv-ppp4-jm57 (CVE-2022-25647) (High)

cf-autoscaling 

credhub

uaa

GHSA-h3gc-qfqq-6h8f (CVE-2025-48988) (High)

capi

GHSA-gjh7-p2fx-99vx (CVE-2025-46727) (High)

nodejs-offline-buildpack

CVE-2025-4138 (High)

uaa

GHSA-4j3c-42xv-3f84 (CVE-2025-52434) (High)

nodejs-offline-buildpack

CVE-2025-4435 (High)

diego 

smb-volume

notifications-ui

capi

nats

go-offline-buildpack

dotnet-core-offline-buildpack

staticfile-offline-buildpack

nodejs-offline-buildpack

pxc

nfs-volume

garden-runc

mysql-monitoring

notifications

r-offline-buildpack

CVE-2025-22874 (High)

diego

GHSA-mh63-6h87-95cp (CVE-2025-30204) (High)

java-offline-buildpack

GHSA-fg7x-g82r-94qc (CVE-2023-28756) (High)

diego

CVE-2025-48060 (High)

routing 

push-apps-manager-release

GHSA-6v2p-p543-phr9 (CVE-2025-22868) (High)

uaa

GHSA-25xr-qj8w-c4vf (CVE-2025-53506) (High)

java-offline-buildpack

GHSA-hv5j-3h9f-99c2 (CVE-2023-28755) (High)

nodejs-offline-buildpack

CVE-2025-4330 (High)

notifications 

garden-runc

nodejs-offline-buildpack

go-offline-buildpack

dotnet-core-offline-buildpack

smb-volume

staticfile-offline-buildpack

capi

nfs-volume

mysql-monitoring

r-offline-buildpack

nats

pxc

notifications-ui

diego

CVE-2025-4673 (Medium)

java-offline-buildpack

CVE-2024-27282 (Medium)

java-offline-buildpack

GHSA-7fc5-f82f-cx69 (CVE-2025-25186) (Medium)

nfs-volume

CVE-2025-4575 (Medium)

diego

CVE-2024-23337 (Medium)

credhub 

cf-autoscaling

GHSA-6r3c-xf4w-jxjm (CVE-2025-41234) (Medium)

cf-autoscaling 

smb-volume

nfs-volume

GHSA-vrw8-fxc6-2r93 (No known CVE) (Medium)

cf-autoscaling 

credhub

uaa

GHSA-wc4r-xq3c-5cf3 (CVE-2025-49125) (Medium)

capi

GHSA-mxr3-8whj-j74r (CVE-2025-32955) (Medium)

nodejs-offline-buildpack

CVE-2025-4516 (Medium)

java-offline-buildpack

GHSA-4h8f-2wvx-gg5w (CVE-2024-34447) (Medium)

java-offline-buildpack

GHSA-v435-xc8x-wvr9 (CVE-2024-30171) (Medium)

java-offline-buildpack

GHSA-gh9q-2xrm-x6qv (CVE-2025-27219) (Medium)

routing 

cf-autoscaling

CVE-2025-49014 (Medium)

pxc 

dotnet-core-offline-buildpack

nodejs-offline-buildpack

mysql-monitoring

smb-volume

diego

garden-runc

staticfile-offline-buildpack

go-offline-buildpack

notifications

nats

r-offline-buildpack

nfs-volume

notifications-ui

capi

CVE-2025-0913 (Medium)

java-offline-buildpack

GHSA-7g45-4rm6-3mm3 (CVE-2023-2976) (Medium)

java-offline-buildpack

GHSA-m5vv-6r4h-3vj9 (CVE-2024-35255) (Medium)

nodejs-offline-buildpack

CVE-2024-12718 (Medium)

java-offline-buildpack

GHSA-hww2-5g85-429m (CVE-2023-36617) (Medium)

java-offline-buildpack

GHSA-8xfc-gm6g-vgpv (CVE-2024-29857) (Medium)

java-offline-buildpack

GHSA-m44j-cfrm-g8qc (CVE-2024-30172) (Medium)

java-offline-buildpack

GHSA-p53j-g8pw-4w5f (CVE-2020-36843) (Medium)

capi

GHSA-vpfw-47h7-xj4g (CVE-2025-32441) (Medium)

java-offline-buildpack

GHSA-mhwm-jh88-3gjf (CVE-2025-27220) (Medium)

java-offline-buildpack

GHSA-5mg8-w23w-74h3 (CVE-2020-8908) (Low)

java-offline-buildpack

GHSA-22h5-pq3x-2gf2 (CVE-2025-27221) (Low)

uaa

GHSA-h2fw-rfh5-95r3 (CVE-2025-46701) (Low)