@steipete/summarize 0.14.1

Direct Vulnerabilities

Known vulnerabilities in the @steipete/summarize package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Missing Authorization @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the extension automation feature. An attacker can perform unauthorized browser automation actions by tricking a user into interacting with attacker-controlled content, which causes the agent to invoke enabled automation tools such as navigation or debugger-backed actions without the required user approval. This is only exploitable if the extension automation feature is enabled. How to fix Missing Authorization? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0
H Missing Authorization @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the `slidesDir` parameter in the `/v1/summarize` endpoint. An attacker can write arbitrary files, such as `slide_*.png` and `slides.json`, to any writable directory and subsequently delete matching files at the specified location by supplying an absolute path or directory traversal sequence. How to fix Missing Authorization? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0
M Missing Authorization @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the `window.postMessage` bridge in the content script. An attacker can access, modify, or delete automation artifacts by sending crafted runtime messages with spoofed sender identifiers. How to fix Missing Authorization? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0
M Server-side Request Forgery (SSRF) @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the hover summary process. An attacker can cause authenticated requests to be sent to internal or private-network endpoints by dispatching synthetic mouseover events over attacker-controlled links, leveraging stored authentication tokens when users interact with malicious content. How to fix Server-side Request Forgery (SSRF)? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0
M Incorrect Permission Assignment for Critical Resource @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the configuration file rewrite process. An attacker can access sensitive credentials by reading files created with overly permissive default filesystem permissions. This is only exploitable if the software is running on a shared Unix-like system where other local users have access to the filesystem. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0
M Incorrect Permission Assignment for Critical Resource @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the creation of the `daemon.json` configuration file with overly permissive filesystem permissions. An attacker can gain unauthorized access to sensitive bearer tokens and API credentials by reading the file contents. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `@steipete/summarize` to version 0.15.0 or higher.	<0.15.0

Vulnerability

Vulnerable Version

Missing Authorization

@steipete/summarize is a Link → clean text → summary.

Affected versions of this package are vulnerable to Missing Authorization via the extension automation feature. An attacker can perform unauthorized browser automation actions by tricking a user into interacting with attacker-controlled content, which causes the agent to invoke enabled automation tools such as navigation or debugger-backed actions without the required user approval. This is only exploitable if the extension automation feature is enabled.

How to fix Missing Authorization?