repomix@1.16.0

A tool to pack repository contents to single file for AI consumption

  • latest version

    1.16.1

  • latest non vulnerable version

  • first published

    1 years ago

  • latest version published

    4 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the repomix package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Files or Directories Accessible to External Parties

    repomix is an A tool to pack repository contents to single file for AI consumption

    Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the remote repository URL validation in src/core/git/gitRemoteParse.ts and the public website pack clone path in processRemoteRepo. An attacker can read arbitrary local git repositories by supplying a file:// URL to the /api/pack clone endpoint, which passes the URL through shape-only parsing and into git clone. This lets an unauthenticated attacker fetch tracked file contents from repositories on the server filesystem. For users running the website server, the impact is unauthorized disclosure of repository data stored locally.

    How to fix Files or Directories Accessible to External Parties?

    Upgrade repomix to version 1.16.1 or higher.

    <1.16.1
    • M
    Server-side Request Forgery (SSRF)

    repomix is an A tool to pack repository contents to single file for AI consumption

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the processRemoteRepo path in POST /api/pack and its repository URL handling before git clone. An attacker can make the server issue arbitrary outbound requests, including requests to private network addresses, cloud metadata services, or local filesystem paths, by supplying a crafted repository URL. The vulnerable code accepts URLs that only match the expected owner/repo shape and passes them to git clone without enforcing an HTTPS-only public-repository allowlist. This lets unauthenticated users trigger outbound network access from the server and, with file:// URLs, local file reads that can expose sensitive data or break the pack endpoint’s normal behavior.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade repomix to version 1.16.1 or higher.

    <1.16.1