GHSA-gj6x-q8rh-wj6x: Curio exposes database credentials to users with network access through verbose HTTP error responses
Multiple HTTP handlers in Curio passed raw database error messages to HTTP clients via http.Error(). When the PostgreSQL/YugabyteDB driver (pgx) returned errors, these could contain the database connection string — including hostname, port, username, and password. Additionally, the internal connection string was constructed with the plaintext password embedded in the URL, which was also included in startup error messages and could surface in logs.
References
- github.com/advisories/GHSA-gj6x-q8rh-wj6x
- github.com/filecoin-project/curio
- github.com/filecoin-project/curio/blob/main/documentation/en/design/README.md
- github.com/filecoin-project/curio/commit/551da78e0123892600d8e6dfe9de7a579055d80b
- github.com/filecoin-project/curio/pull/919
- github.com/filecoin-project/curio/security/advisories/GHSA-gj6x-q8rh-wj6x
Code Behaviors & Features
Detect and mitigate GHSA-gj6x-q8rh-wj6x with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →