-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unfiltered environment variable exposure in the TinaCMS CLI's server setup. The patch in #3584 specifically implemented a whitelist (NEXT_PUBLIC_* and TINA_PUBLIC_*), indicating previous versions lacked this filtering. The CLI's server initialization code would have contained the vulnerable environment variable handling logic, likely in the server setup/configuration files. While exact function names aren't visible in provided references, the pattern of environment variable handling in server middleware/configuration files matches typical implementations for this type of vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @tinacms/cli | npm | >= 1.0.0, < 1.0.9 | 1.0.9 |
JavaScriptJavaScriptOngoing coverage of React2Shell