GMS-2020-414: Sensitive information exposure through logs in npm-registry-fetch

July 7, 2020 (updated September 22, 2021)

Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

References

github.com/advisories/GHSA-jmqm-f2gx-4fjv
github.com/npm/npm-registry-fetch/commit/18bf9b97fb1deecdba01ffb05580370846255c88
github.com/npm/npm-registry-fetch/pull/29
github.com/npm/npm-registry-fetch/security/advisories/GHSA-jmqm-f2gx-4fjv
snyk.io/vuln/SNYK-JS-NPMREGISTRYFETCH-575432

Code Behaviors & Features

Detect and mitigate GMS-2020-414 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →