Miggo Logo

CVE-2020-26226: Secret disclosure when containing characters that become URI encoded

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.59291%
Published
11/18/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
semantic-releasenpm<= 17.2.217.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how secrets were masked in URL contexts. The commit diff shows the regex pattern in lib/hide-sensitive.js was modified to include both raw and URI-encoded versions of secrets. Prior to the fix, the regex only matched literal secret values (line 14 in original code), but didn't account for URI-encoded representations (e.g., spaces becoming %20). This allowed encoded secrets to appear unmasked in outputs. The function responsible for building the replacement regex is clearly identified in the diff as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S**r*ts t**t woul* norm*lly ** m*sk** *y `s*m*nti*-r*l**s*` **n ** ***i**nt*lly *is*los** i* t**y *ont*in ***r**t*rs t**t ***om* *n*o*** w**n in*lu*** in * URL. ### P*t***s *ix** in v**.*.* ### Work*roun*s S**r*ts t**t *o not *ont*in

Reasoning

T** vuln*r**ility st*ms *rom *ow s**r*ts w*r* m*sk** in URL *ont*xts. T** *ommit *i** s*ows t** r***x p*tt*rn in `li*/*i**-s*nsitiv*.js` w*s mo*i*i** to in*lu** *ot* r*w *n* URI-*n*o*** v*rsions o* s**r*ts. Prior to t** *ix, t** r***x only m*t**** li