@tinacms/cli 0.0.0-e2e04ae-20260325061046 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @tinacms/cli package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal in the development server's media upload handler. An attacker can write or delete arbitrary files, or enumerate directories outside the intended media folder by supplying crafted path traversal sequences in the upload, delete, or list endpoints. This can lead to overwriting sensitive files, removing critical application or system files, or disclosing directory structures by sending specially crafted HTTP requests containing traversal patterns such as `../`. How to fix Directory Traversal? Upgrade `@tinacms/cli` to version 2.1.7 or higher.	<2.1.7
M Files or Directories Accessible to External Parties @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the dev server configuration when `server.fs.strict` is set to `false`. An attacker can access sensitive files on the host system by sending crafted requests to the development server. How to fix Files or Directories Accessible to External Parties? Upgrade `@tinacms/cli` to version 2.1.8 or higher.	<2.1.8
H Directory Traversal @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal via the `decodeURI` and `path.join` functions in the HTTP server endpoints `/media/list/`, `/media/upload/`, and `/media/*`. An attacker can access, modify, or delete arbitrary files on the filesystem outside the intended media directory by supplying crafted path segments. How to fix Directory Traversal? Upgrade `@tinacms/cli` to version 2.1.7 or higher.	<2.1.7
M Directory Traversal @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal via a combination with permissive CORS configuration. An attacker can access, write, and delete arbitrary files on a developer's machine by enticing the victim to visit a malicious website while the development server is running. How to fix Directory Traversal? Upgrade `@tinacms/cli` to version 2.1.8 or higher.	<2.1.8
H Information Exposure @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Information Exposure in the `tina-lock.json` file. An attacker can access the search token by exploiting the insecure storage of this token in the lock file. Note: If Tina-enabled website has search setup, rotating search token is required for the proper fix. How to fix Information Exposure? Upgrade `@tinacms/cli` to version 1.6.2 or higher.	<1.6.2

Vulnerability

Vulnerable Version

Directory Traversal