Description
Affected versions of aegir bundle and publish the current users github token to npm when aegir-release is executed.
Recommendation
Update the aegir package to the latest compatible version. Followings are version details:
- Affected version(s): >= 12.0.0, <= 12.0.7
- Patched version(s): 12.0.8
References
Related Issues
- Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
- Undici vulnerable to data leak when using response.arrayBuffer() - CVE-2024-38372
- Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to - CVE-2024-39691
- Lobe Chat API Key Leak - CVE-2024-37895
- Tags:
- npm
- aegir
Anything's wrong? Let us know Last updated on January 09, 2023