GHSA-mgr7-5782-6jh9: The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package
The Heartcore headless client library depends on Refit to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.
This shouldn’t affect Heartcore client library usage as the vulnerable method - HttpHeaders.TryAddWithoutValidation - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.
References
Code Behaviors & Features
Detect and mitigate GHSA-mgr7-5782-6jh9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →