Miggo Logo
Miggo Vulnerability Database
GHSA-jmqm-f2gx-4fjv

GHSA-jmqm-f2gx-4fjv: Sensitive information exposure through logs in npm-registry-fetch

5.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-jmqm-f2gx-4fjv
EPSS Score
-
CWE
CWE-352
Published
7/7/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
npm-registry-fetchnpm< 4.0.54.0.5
npm-registry-fetchnpm>= 5.0.0, < 8.1.18.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff shows the vulnerability was fixed by modifying the logRequest function in check-response.js. The original code logged res.url directly (${res.url}), while the patched version parses the URL and replaces the password with '***'. This function's pre-patch behavior matches the described vulnerability of exposing passwords in logs through unredacted URL logging.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `npm-r**istry-**t**` *r* vuln*r**l* to *n in*orm*tion *xposur* vuln*r**ility t*rou** lo* *il*s. T** *li supports URLs lik* `<proto*ol>://[<us*r>[:<p*sswor*>]@]<*ostn*m*>[:<port>][:][/]<p*t*>`. T** p*sswor* v*lu* is not r****t** *

Reasoning

T** *it*u* *ommit *i** s*ows t** vuln*r**ility w*s *ix** *y mo*i*yin* t** `lo*R*qu*st` *un*tion in `****k-r*spons*.js`. T** ori*in*l *o** lo**** `r*s.url` *ir**tly (${r*s.url}), w*il* t** p*t**** v*rsion p*rs*s t** URL *n* r*pl***s t** p*sswor* wit*