GHSA-g2gw-q38m-vjfc: Lokka: Azure Resource Manager URL path validation issue

June 19, 2026

Lokka versions prior to 2.1.2 constructed Azure Resource Manager request URLs using direct string concatenation with user-controlled path input. Specially crafted path values could alter URL authority parsing and cause Azure Resource Manager bearer tokens to be sent to an unintended host. Version 2.1.2 fixes the issue by validating Azure paths before token acquisition and constructing Azure Resource Manager URLs with the standard URL API while preserving the expected management.azure.com host.

Reported by 정해창 haechang__@naver.com

References

github.com/advisories/GHSA-g2gw-q38m-vjfc
github.com/merill/lokka/security/advisories/GHSA-g2gw-q38m-vjfc

Code Behaviors & Features

Detect and mitigate GHSA-g2gw-q38m-vjfc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →