CVE-2024-4128 (Low) detected in firebase-tools-7.1.0.tgz

[mend-for-github-com[bot]]

CVE-2024-4128 - Low Severity Vulnerability

Vulnerable Library - firebase-tools-7.1.0.tgz

Command-Line Interface for Firebase

Library home page: https://registry.npmjs.org/firebase-tools/-/firebase-tools-7.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/firebase-tools/package.json

Dependency Hierarchy: - :x: **firebase-tools-7.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2a1411ba78280c07796558559ccfca7738c05cf4

Found in base branch: master

Vulnerability Details

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit  068a2b08dc308c7ab4b569617f5fc8821237e3a0 https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0

Publish Date: 2024-05-02

URL: CVE-2024-4128

CVSS 3 Score Details (2.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-4128

Release Date: 2024-05-02

Fix Resolution: 13.6.1

---

• [ ] Check this box to open an automated fix PR