CVE-2020-26226: Secret disclosure when containing characters that become URI encoded
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59291%
CWE
Published
11/18/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
semantic-release | npm | <= 17.2.2 | 17.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how secrets were masked in URL contexts. The commit diff shows the regex pattern in lib/hide-sensitive.js
was modified to include both raw and URI-encoded versions of secrets. Prior to the fix, the regex only matched literal secret values (line 14 in original code), but didn't account for URI-encoded representations (e.g., spaces becoming %20). This allowed encoded secrets to appear unmasked in outputs. The function
responsible for building the replacement regex is clearly identified in the diff as the root cause.