apostrophe 4.31.0-alpha.1

Direct Vulnerabilities

Known vulnerabilities in the apostrophe package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `pretty-URL handler` when the `prettyUrls` option is enabled. An attacker can cause the server to make blind HTTP requests to internal or external hosts by manipulating the `Host` header in unauthenticated requests, exposing `/uploads/attachments/<cuid>-<slug>.<ext>` for a known slug. All further side-channel information disclosure, verbose middleware error reporting, etc. are incidental to this vulnerability. How to fix Server-side Request Forgery (SSRF)? Upgrade `apostrophe` to version 4.31.0 or higher.	<4.31.0
H Prototype Pollution apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerable to Prototype Pollution in the `apos.util.set()` and `apos.util.get()` functions, when traversing dot-notation paths without sanitization of `__proto__`. An attacker can modify the `Object.prototype` by exploiting the `$pullAll` patch operator, which allows bypassing authorization checks on all piece-type REST API endpoints for every subsequent unauthenticated request, by polluting `publicApiProjection`. How to fix Prototype Pollution? Upgrade `apostrophe` to version 4.31.0 or higher.	<4.31.0

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the pretty-URL handler when the prettyUrls option is enabled. An attacker can cause the server to make blind HTTP requests to internal or external hosts by manipulating the Host header in unauthenticated requests, exposing /uploads/attachments/<cuid>-<slug>.<ext> for a known slug. All further side-channel information disclosure, verbose middleware error reporting, etc. are incidental to this vulnerability.

How to fix Server-side Request Forgery (SSRF)?

Upgrade apostrophe to version 4.31.0 or higher.

<4.31.0

Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution in the apos.util.set() and apos.util.get() functions, when traversing dot-notation paths without sanitization of __proto__. An attacker can modify the Object.prototype by exploiting the $pullAll patch operator, which allows bypassing authorization checks on all piece-type REST API endpoints for every subsequent unauthenticated request, by polluting publicApiProjection.

How to fix Prototype Pollution?

Upgrade apostrophe to version 4.31.0 or higher.

<4.31.0

apostrophe@4.31.0-alpha.1

The Apostrophe Content Management System.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically