8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25164

GHSA ID

GHSA-pc2q-jcxq-rjrr

EPSS Score

0.49413%

CWE

CWE-200

Published

2/8/2023

Updated

2/8/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-25164

CVE-2023-25164: Sensitive Information leak via Script File in TinaCMS

Impact

Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you're on a version prior to 1.0.0 this vulnerability does not affect you.

If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately.

Patches

This issue has been patched in @tinacms/cli@1.0.9

Workarounds

Upgrading, and rotating secure & exposed keys is required for the proper fix.

References

https://github.com/tinacms/tinacms/pull/3584

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25164

GHSA ID

GHSA-pc2q-jcxq-rjrr

EPSS Score

0.49413%

CWE

CWE-200

Published

2/8/2023

Updated

2/8/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@tinacms/cli	npm	>= 1.0.0, < 1.0.9	1.0.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unfiltered environment variable exposure in the TinaCMS CLI's server setup. The patch in #3584 specifically implemented a whitelist (NEXT_PUBLIC_* and TINA_PUBLIC_*), indicating previous versions lacked this filtering. The CLI's server initialization code would have contained the vulnerable environment variable handling logic, likely in the server setup/configuration files. While exact function names aren't visible in provided references, the pattern of environment variable handling in server middleware/configuration files matches typical implementations for this type of vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*nsitiv* In*orm*tion l**k** vi* s*ript *il* in Tin**MS. Sit*s *uil*in* wit* @tin**ms/*li >= *.*.* && < *.*.* t**t stor* s*nsitiv* v*lu*s in pro**ss.*nv v*r *r* imp**t**. I* you'r* on * v*rsion prior to *.*.* t*is vuln*r**ility *o*s not *

Reasoning

T** vuln*r**ility st*ms *rom un*ilt*r** *nvironm*nt v*ri**l* *xposur* in t** Tin**MS *LI's s*rv*r s*tup. T** p*t** in #**** sp**i*i**lly impl*m*nt** * w*it*list (N*XT_PU*LI*_* *n* TIN*_PU*LI*_*), in*i**tin* pr*vious v*rsions l**k** t*is *ilt*rin*. T*

8.6

Basic Information

Concerned about an active attack path?

CVE-2023-25164: Sensitive Information leak via Script File in TinaCMS

Impact

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI