Race Condition Affecting @genkit-ai/firebase package, versions <0.9.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-GENKITAIFIREBASE-12671227
- published17 Sept 2025
- disclosed1 May 2025
- creditUnknown
Introduced: 1 May 2025
CVE NOT AVAILABLE CWE-362 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @genkit-ai/firebase to version 0.9.1 or higher.
Overview
@genkit-ai/firebase is a Genkit AI framework plugin for Firebase including Firestore trace/state store and deployment helpers for Cloud Functions for Firebase.
Affected versions of this package are vulnerable to Race Condition via the asynchronous user engagement collection in the appendSpan and collectUserEngagement methods, where calls were not correctly awaited. Improper handling of asynchronous functions can lead to unexpected behavior or data inconsistencies during user engagement tracking.