From be204f514f1c243ede87576912bc14e592778eb9 Mon Sep 17 00:00:00 2001 From: sampion88 Date: Fri, 26 Dec 2025 13:57:01 +0100 Subject: [PATCH 1/3] new vulnerability in better-ccflare --- input/new.json | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/input/new.json b/input/new.json index 87646b9a..045fa95a 100644 --- a/input/new.json +++ b/input/new.json @@ -1,15 +1,25 @@ { - "package_name": "", - "patch_versions": [], - "vulnerable_ranges": [], - "cwe": [], - "tldr": "", - "doest_this_affect_me": "", - "how_to_fix": "", - "vulnerable_to": "", + "package_name": "better-ccflare", + "patch_versions": [ + "3.0.4" + ], + "vulnerable_ranges": [ + [ + "3.0.0", + "3.0.4" + ] + ], + "cwe": [ + "CWE-200" + ], + "tldr": "Affected versions of this package may expose sensitive information by unintentionally forwarding the client API key to OAuth providers. When both `Authorization` and `x-api-key` headers are present, only the `Authorization` header is removed, allowing the API key to be leaked to upstream services. This change ensures both headers are stripped before provider-specific credentials are applied, preventing unintended disclosure of authentication data.", + "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", + "how_to_fix": "Upgrade the `better-ccflare` library to the patch version.", + "reporter": "", + "vulnerable_to": "Exposure of Sensitive Information", "related_cve_id": "", - "language": "", - "severity_class": "", - "aikido_score": 0, - "changelog": "" + "language": "JS", + "severity_class": "MEDIUM", + "aikido_score": 55, + "changelog": "https://github.com/tombii/better-ccflare/releases/tag/v3.0.4" } From 05611f6af80456fcbb872ebc2ae5251dec96c1ad Mon Sep 17 00:00:00 2001 From: sampion88 Date: Fri, 26 Dec 2025 14:01:08 +0100 Subject: [PATCH 2/3] new vulnerability in better-ccflare --- input/new.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/input/new.json b/input/new.json index 045fa95a..b852fbc9 100644 --- a/input/new.json +++ b/input/new.json @@ -6,7 +6,7 @@ "vulnerable_ranges": [ [ "3.0.0", - "3.0.4" + "3.0.3" ] ], "cwe": [ From ce625640a00d860873802475bf328fce9d39b362 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 30 Dec 2025 12:55:19 +0000 Subject: [PATCH 3/3] Move new vulnerability to vulnerabilities/AIKIDO-2025-11004.json and reset new.json template --- input/new.json | 34 +++++++++----------------- vulnerabilities/AIKIDO-2025-11004.json | 27 ++++++++++++++++++++ 2 files changed, 39 insertions(+), 22 deletions(-) create mode 100644 vulnerabilities/AIKIDO-2025-11004.json diff --git a/input/new.json b/input/new.json index b852fbc9..87646b9a 100644 --- a/input/new.json +++ b/input/new.json @@ -1,25 +1,15 @@ { - "package_name": "better-ccflare", - "patch_versions": [ - "3.0.4" - ], - "vulnerable_ranges": [ - [ - "3.0.0", - "3.0.3" - ] - ], - "cwe": [ - "CWE-200" - ], - "tldr": "Affected versions of this package may expose sensitive information by unintentionally forwarding the client API key to OAuth providers. When both `Authorization` and `x-api-key` headers are present, only the `Authorization` header is removed, allowing the API key to be leaked to upstream services. This change ensures both headers are stripped before provider-specific credentials are applied, preventing unintended disclosure of authentication data.", - "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", - "how_to_fix": "Upgrade the `better-ccflare` library to the patch version.", - "reporter": "", - "vulnerable_to": "Exposure of Sensitive Information", + "package_name": "", + "patch_versions": [], + "vulnerable_ranges": [], + "cwe": [], + "tldr": "", + "doest_this_affect_me": "", + "how_to_fix": "", + "vulnerable_to": "", "related_cve_id": "", - "language": "JS", - "severity_class": "MEDIUM", - "aikido_score": 55, - "changelog": "https://github.com/tombii/better-ccflare/releases/tag/v3.0.4" + "language": "", + "severity_class": "", + "aikido_score": 0, + "changelog": "" } diff --git a/vulnerabilities/AIKIDO-2025-11004.json b/vulnerabilities/AIKIDO-2025-11004.json new file mode 100644 index 00000000..63ade11d --- /dev/null +++ b/vulnerabilities/AIKIDO-2025-11004.json @@ -0,0 +1,27 @@ +{ + "package_name": "better-ccflare", + "patch_versions": [ + "3.0.4" + ], + "vulnerable_ranges": [ + [ + "3.0.0", + "3.0.3" + ] + ], + "cwe": [ + "CWE-200" + ], + "tldr": "Affected versions of this package may expose sensitive information by unintentionally forwarding the client API key to OAuth providers. When both `Authorization` and `x-api-key` headers are present, only the `Authorization` header is removed, allowing the API key to be leaked to upstream services. This change ensures both headers are stripped before provider-specific credentials are applied, preventing unintended disclosure of authentication data.", + "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", + "how_to_fix": "Upgrade the `better-ccflare` library to the patch version.", + "reporter": "", + "vulnerable_to": "Exposure of Sensitive Information", + "related_cve_id": "", + "language": "JS", + "severity_class": "MEDIUM", + "aikido_score": 55, + "changelog": "https://github.com/tombii/better-ccflare/releases/tag/v3.0.4", + "last_modified": "2025-12-30", + "published": "2025-12-30" +}