7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-96qw-h329-v5rg

GHSA-96qw-h329-v5rg: Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

Summary

Since 2017, the default webpack plugins have passed the entire process.env to EnvironmentPlugin. This pattern exposed ALL build environment variables to client-side JavaScript bundles whenever application code (or any dependency) referenced process.env.VARIABLE_NAME.

This is not a regression - the vulnerable code has existed since the original Webpacker implementation. No recent code change in Shakapacker triggered this issue.

Impact

Any environment variable in the build environment that is referenced in client-side code (including third-party dependencies) is embedded directly into the JavaScript bundle. This includes:

DATABASE_URL - Database credentials
AWS_SECRET_ACCESS_KEY - AWS credentials
RAILS_MASTER_KEY - Rails encrypted credentials key
STRIPE_SECRET_KEY, TWILIO_AUTH_TOKEN - Third-party API keys
Any other secrets present in the build environment

Severity: Critical - secrets are exposed in publicly accessible JavaScript files.

Root Cause

The original code used:

new webpack.EnvironmentPlugin(process.env)

This makes every environment variable available for substitution. If any code references process.env.SECRET_KEY, that value is embedded in the bundle.

Patches

Upgrade to version 9.5.0 or later, which uses an allowlist approach that only exposes NODE_ENV, RAILS_ENV, and WEBPACK_SERVE by default.

Workarounds

If developers cannot upgrade immediately:

Audit client-side code and dependencies for any process.env.X references to sensitive variables
Remove sensitive variables from the build environment
Override the default plugins with a custom webpack/rspack config using an explicit allowlist

Migration

After upgrading, if client-side code needs access to specific environment variables:

Option 1: Use the SHAKAPACKER_PUBLIC_ prefix (recommended)

# Variables with this prefix are automatically exposed
export SHAKAPACKER_PUBLIC_API_URL="https://api.example.com"

Option 2: Use SHAKAPACKER_ENV_VARS

SHAKAPACKER_ENV_VARS=API_URL,FEATURE_FLAG bundle exec rails assets:precompile

Action Required

After upgrading, rotate any secrets that may have been exposed in previously compiled JavaScript bundles.

Resources

Fix PR: https://github.com/shakacode/shakapacker/pull/857

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-96qw-h329-v5rg

GHSA-96qw-h329-v5rg:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shakapacker	npm	< 9.5.0	9.5.0
shakapacker	rubygems	< 9.5.0	9.5.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the default webpack and rspack configurations within Shakapacker. Specifically, the getPlugins function in both package/plugins/webpack.ts and package/plugins/rspack.ts used new webpack.EnvironmentPlugin(process.env) and new rspack.EnvironmentPlugin(process.env) respectively. This action passed all build-time environment variables to the client-side JavaScript bundles. If any part of the application's frontend code (or its dependencies) referenced an environment variable (e.g., process.env.DATABASE_URL), its value would be embedded directly into the public-facing JavaScript files. This exposed sensitive information and secrets, such as database credentials, API keys, and Rails master keys, to anyone inspecting the compiled assets. The patch remediates this by replacing the dangerous process.env with a call to a new getFilteredEnv() function. This new function uses a strict allowlist approach, only exposing non-sensitive variables by default (NODE_ENV, RAILS_ENV, WEBPACK_SERVE) and variables explicitly marked as public via a SHAKAPACKER_PUBLIC_ prefix or the SHAKAPACKER_ENV_VARS setting.

Vulnerable functions

getPlugins

package/plugins/webpack.ts

This function was responsible for configuring webpack plugins. By passing the entire `process.env` object to `EnvironmentPlugin`, it made all server-side environment variables, including secrets, available for substitution in the client-side JavaScript bundle, leading to information exposure.

getPlugins

package/plugins/rspack.ts

Similar to the webpack plugin, this function configured rspack plugins. It also passed the entire `process.env` to `EnvironmentPlugin`, creating the same vulnerability of leaking server-side environment variables into the client-side bundle.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-96qw-h329-v5rg: Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

Summary

Impact

Root Cause

Patches

Workarounds

Migration

Action Required

Resources

GHSA-96qw-h329-v5rg:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

7.5

7.5

GHSA-96qw-h329-v5rg: Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

Summary

Impact

Root Cause

Patches

Workarounds

Migration

Action Required

Resources

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI