CVE-2023-6460: Insecure Storage of Sensitive Information

December 4, 2023

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue

References

github.com/advisories/GHSA-4g6q-77j7-vvjc
github.com/googleapis/nodejs-firestore/pull/1742
github.com/googleapis/nodejs-firestore/releases/tag/v6.1.0
nvd.nist.gov/vuln/detail/CVE-2023-6460

Detect and mitigate CVE-2023-6460 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →