Skip to content

Withdrawn: Octocat.js vulnerable to code injection

High severity GitHub Reviewed Published Nov 4, 2022 in octocademy/octocat.js • Updated Feb 24, 2023
Withdrawn This advisory was withdrawn on Nov 9, 2022

Package

npm octocat.js (npm)

Affected versions

< 1.2

Patched versions

1.2

Description

Withdrawn

This advisory has been withdrawn because it is a test.

Original Description

Impact

Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.

Patches

This vulnerability was fixed in version 1.2 of octocat.js

Workarounds

Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.

References

To render the file correctly, see documentation at readme.md

For more information

If you have any questions or comments about this advisory:

References

@Damovisa Damovisa published to octocademy/octocat.js Nov 4, 2022
Published to the GitHub Advisory Database Nov 8, 2022
Reviewed Nov 8, 2022
Published by the National Vulnerability Database Nov 9, 2022
Withdrawn Nov 9, 2022
Last updated Feb 24, 2023

Severity

High

Weaknesses

CVE ID

CVE-2022-39390

GHSA ID

GHSA-r4jg-5v89-9v62

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.