@tinacms/graphql 2.1.1

Direct Vulnerabilities

Known vulnerabilities in the @tinacms/graphql package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Symlink Attack @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Symlink Attack in the FilesystemBridge `get()`, `put()`, `delete()`, and `glob()` methods. An attacker can access, modify, or delete files outside the intended directory by leveraging existing symlinks or junctions within the allowed content root. How to fix Symlink Attack? Upgrade `@tinacms/graphql` to version 2.2.2 or higher.	<2.2.2
H Symlink Attack @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Symlink Attack in the handling of media endpoints when symlinks or junctions exist within the media directory. An attacker can access, list, write, or delete files outside the intended media root by supplying crafted paths that traverse through existing links. How to fix Symlink Attack? Upgrade `@tinacms/graphql` to version 2.2.2 or higher.	<2.2.2
H Directory Traversal @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal due to improper validation of backslashes on non-Windows platforms (Mac/Linux) in `getValidatedPath()` function. An attacker can overwrite arbitrary files and potentially execute malicious code by manipulating `relativePath` parameter in GraphQL mutations. How to fix Directory Traversal? Upgrade `@tinacms/graphql` to version 2.2.2 or higher.	<2.2.2
H Directory Traversal @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal in the development server's media upload handler. An attacker can write or delete arbitrary files, or enumerate directories outside the intended media folder by supplying crafted path traversal sequences in the upload, delete, or list endpoints. This can lead to overwriting sensitive files, removing critical application or system files, or disclosing directory structures by sending specially crafted HTTP requests containing traversal patterns such as `../`. How to fix Directory Traversal? Upgrade `@tinacms/graphql` to version 2.1.3 or higher.	<2.1.3
M Directory Traversal @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal via the `relativePath` and `newRelativePath` parameters in GraphQL mutations. An attacker can access or modify files outside the intended directory by supplying specially crafted path values containing directory traversal sequences. How to fix Directory Traversal? Upgrade `@tinacms/graphql` to version 2.1.2 or higher.	<2.1.2

Vulnerability

Vulnerable Version

Symlink Attack