GHSA-96qw-h329-v5rg: Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

January 8, 2026

Since 2017, the default webpack plugins have passed the entire process.env to EnvironmentPlugin. This pattern exposed ALL build environment variables to client-side JavaScript bundles whenever application code (or any dependency) referenced process.env.VARIABLE_NAME.

This is not a regression - the vulnerable code has existed since the original Webpacker implementation. No recent code change in Shakapacker triggered this issue.

References

github.com/advisories/GHSA-96qw-h329-v5rg
github.com/shakacode/shakapacker
github.com/shakacode/shakapacker/commit/3e06781b18383c5c2857ed3a722f7b91bdc1bc0e
github.com/shakacode/shakapacker/pull/857
github.com/shakacode/shakapacker/security/advisories/GHSA-96qw-h329-v5rg

Code Behaviors & Features

Detect and mitigate GHSA-96qw-h329-v5rg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →