Description
Versions of seneca prior to 3.9.0 are vulnerable to Sensitive Data Exposure. When a process using the package crashes all environment variables are printed. This may leak sensitive data such as access keys, especially given scenarios when log-monitoring systems store the error output.
Recommendation
Update the seneca package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.9.0
- Patched version(s): 3.9.0
References
- GHSA-2xwv-3cc9-fp7c
- hackerone.com
- www.npmjs.com
- CVE-2019-5483
- CWE-209
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Sensitive Data Exposure in parse-server - CVE-2019-1020013
- Sensitive data exposure in NATS (GHSA-82rf-q3pr-4f6p) - CVE-2020-26149
- Sensitive data exposure in NATS - CVE-2020-26149
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
- Tags:
- npm
- seneca
Anything's wrong? Let us know Last updated on January 09, 2023