{"vulnerability": "GHSA-QHH4-458H-XWH2", "sightings": [{"uuid": "16558c14-5a7a-4deb-91d3-e0c54263e2b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-QHH4-458H-XWH2", "type": "seen", "source": "https://gist.github.com/alon710/3ae104f1304147ec707d4c17fb2fda98", "content": "# GHSA-QHH4-458H-XWH2: GHSA-qhh4-458h-xwh2: Credential Leakage via Origin Validation Error in cdxgen\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/GHSA-QHH4-458H-XWH2\n\n## Summary\nThe @cyclonedx/cdxgen package is vulnerable to credential leakage due to improper Docker registry origin validation. A flaw in how registry authentication endpoints are matched against configured credentials allows arbitrary downstream registries to capture private credentials.\n\n## TL;DR\nVersions 9.9.5 through 12.3.2 of @cyclonedx/cdxgen leak Docker registry credentials due to an insecure substring matching implementation. Upgrading to version 12.3.3 resolves the vulnerability by introducing strict hostname normalization.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-346, CWE-522\n- **Attack Vector**: Network\n- **CVSS v4.0**: 5.3 (Medium)\n- **Impact**: Credential Leakage\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- macOS / Linux / Windows running Node.js and @cyclonedx/cdxgen < 12.3.3\n- CI/CD pipelines utilizing vulnerable versions for SBOM generation\n- Docker Daemon instances invoked by vulnerable cdxgen processes\n- **@cyclonedx/cdxgen**: >= 9.9.5, < 12.3.3 (Fixed in: `12.3.3`)\n\n## Mitigation\n\n- Upgrade @cyclonedx/cdxgen to version 12.3.3 or later.\n- Rotate Docker registry credentials used in environments that previously ran vulnerable versions.\n- Implement strict egress network filtering on CI/CD build nodes to prevent unauthorized outbound connections.\n- Utilize dynamic, short-lived authentication tokens instead of static configurations in ~/.docker/config.json.\n\n**Remediation Steps:**\n1. Identify all global and local installations of @cyclonedx/cdxgen across developer machines and build servers.\n2. Execute the update command: npm install -g @cyclonedx/cdxgen@latest\n3. Verify the installed version using: cdxgen --version (Must output >= 12.3.3).\n4. Revoke and regenerate service account tokens used by CI/CD pipelines for internal Docker registries.\n\n## References\n\n- [GitHub Advisory: GHSA-qhh4-458h-xwh2](https://github.com/advisories/GHSA-qhh4-458h-xwh2)\n- [Official Repository](https://github.com/cdxgen/cdxgen)\n- [Fix Pull Request](https://github.com/cdxgen/cdxgen/pull/3964)\n- [OSV Advisory](https://osv.dev/vulnerability/GHSA-qhh4-458h-xwh2)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-QHH4-458H-XWH2) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T22:10:29.000000Z"}]}