Integer Overflow or Wraparound Affecting zevv/duc package, versions [,1.4.6)

Q: How to fix?

Upgrade zevv/duc to version 1.4.6 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-UNMANAGED-ZEVVDUC-14192435
published5 Dec 2025
disclosed5 Dec 2025
creditHackingByDoing

Report a new vulnerability Found a mistake?

Introduced: 5 Dec 2025

NewCVE-2025-13654 (opens in a new tab) CWE-190 (opens in a new tab)

How to fix?

Upgrade zevv/duc to version 1.4.6 or higher.

Overview

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the buffer_get() function due to the use of size_t (an unsigned type). An attacker can cause an out-of-bounds read by providing crafted input that triggers a condition leading to underflow.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None