GHSA-mgr7-5782-6jh9: The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package

January 13, 2025

The Heartcore headless client library depends on Refit to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.

This shouldn’t affect Heartcore client library usage as the vulnerable method - HttpHeaders.TryAddWithoutValidation - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.

References

github.com/advisories/GHSA-mgr7-5782-6jh9
github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7
github.com/umbraco/Umbraco.Headless.Client.Net
github.com/umbraco/Umbraco.Headless.Client.Net/security/advisories/GHSA-mgr7-5782-6jh9
nvd.nist.gov/vuln/detail/CVE-2024-51501

Detect and mitigate GHSA-mgr7-5782-6jh9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →