CVE-2022-31051: Exposure of Sensitive Information to an Unauthorized Actor in semantic-release
4.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62884%
CWE
Published
6/9/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
semantic-release | npm | >= 17.0.4, < 19.0.3 | 19.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from logging a modified repository URL containing credentials. The commit 58a226f shows the fix replaced options.repositoryUrl
with options.originalRepositoryURL
in the log message. The original implementation used a URL that might have been altered to include credentials (which encodeURI
doesn't fully sanitize), while the patched version uses the unmodified URL. This indicates the logging function using options.repositoryUrl
was the exposure point for improperly masked secrets.