// For flags

CVE-2022-39382

NODE_ENV in Keystone defaults to development with esbuild

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"development"` for user code, irrespective of what your environment variables. If you do not use `NODE_ENV` in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use `NODE_ENV` to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured `NODE_ENV` variable. The application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063.

Keystone es un CMS headless para Node.js construido con GraphQL y React.`@keystone-6/core@3.0.0 || 3.0.1` los usuarios que usan `NODE_ENV` para activar funciones sensibles a la seguridad en sus compilaciones de producción son vulnerables a que `NODE_ENV` se incluya en `"desarrollo"` para el código de usuario, independientemente de cuáles sean sus variables de entorno. Si no utiliza `NODE_ENV` en su código de usuario para activar funciones sensibles a la seguridad, esta vulnerabilidad no lo afecta. Cualquier dependencia que use `NODE_ENV` para desencadenar comportamientos particulares (optimizaciones, seguridad o de otro tipo) aún debe respetar la variable `NODE_ENV` configurada en su entorno. Las dependencias de la aplicación, como se encuentran en `node_modules` (incluido `@keystone-6/core`), normalmente no se compilan como parte de este proceso y, por lo tanto, no deberían verse afectadas. Hemos probado esta suposición verificando que `NODE_ENV = inicio clave del hilo de producción` todavía usa cookies seguras cuando se usan `statelessSessions`. Esta vulnerabilidad se solucionó en @keystone-6/core@3.0.2, se agregaron pruebas de regresión para esta vulnerabilidad en el número 8063.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-11-03 CVE Published
  • 2024-06-24 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Keystonejs
Search vendor "Keystonejs"
Keystone
Search vendor "Keystonejs" for product "Keystone"
3.0.0
Search vendor "Keystonejs" for product "Keystone" and version "3.0.0"
node.js
Affected
Keystonejs
Search vendor "Keystonejs"
Keystone
Search vendor "Keystonejs" for product "Keystone"
3.0.1
Search vendor "Keystonejs" for product "Keystone" and version "3.0.1"
node.js
Affected