copilot-api 0.5.10

Direct Vulnerabilities

Known vulnerabilities in the copilot-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Permissive Cross-domain Policy with Untrusted Domains copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code! Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the `CORS` policy combined with the unauthenticated `/token` endpoint. An attacker can gain unauthorized access to sensitive information and perform actions on behalf of users by exploiting a permissive cross-domain policy that allows requests from untrusted domains. How to fix Permissive Cross-domain Policy with Untrusted Domains? There is no fixed version for `copilot-api`.	*
M DNS Rebinding copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code! Affected versions of this package are vulnerable to DNS Rebinding in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. How to fix DNS Rebinding? There is no fixed version for `copilot-api`.	*

Vulnerability

Vulnerable Version

Permissive Cross-domain Policy with Untrusted Domains

copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code!

Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the CORS policy combined with the unauthenticated /token endpoint. An attacker can gain unauthorized access to sensitive information and perform actions on behalf of users by exploiting a permissive cross-domain policy that allows requests from untrusted domains.

How to fix Permissive Cross-domain Policy with Untrusted Domains?

There is no fixed version for copilot-api.

DNS Rebinding

copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code!

Affected versions of this package are vulnerable to DNS Rebinding in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

How to fix DNS Rebinding?

There is no fixed version for copilot-api.

copilot-api@0.5.10

Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code!

latest version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically