GHSA-8WC6-VGRQ-X6CF

Vulnerability from github – Published: 2026-02-13 20:53 – Updated: 2026-02-13 20:53
VLAI?
Summary
Child processes spawned by Renovate incorrectly have full access to environment variables
Details

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.

Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.

Impact

Child processes spawned by Renovate (i.e. npm install, anything defined in postUpgradeTasks or postUpdateOptions) will have full access to the environment variables that the Renovate process has.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

Patches

This is patched in 42.96.3 and 43.4.4.

Workarounds

There are no workarounds, other than upgrading your Renovate version.

Why did this happen?

As part of work towards https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96, one of the preparatory changes we made was moving to execa.

One of the default behaviours of execa is to extend the process' environment variables with any new ones, rather than override them.

This was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with execa by Renovate.

This was discovered as part of an unrelated change.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.68.1"
            },
            {
              "fixed": "42.96.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "43.0.0"
            },
            {
              "fixed": "43.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-13T20:53:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.\n\nSince [42.68.1](https://github.com/renovatebot/renovate/releases/tag/42.68.1) (2025-12-30), this filtering had been **inadvertently removed**, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.\n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack) being able to exflitrate secrets from the Renovate deployment.\n\nIt is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.\n\n## Impact\n\nChild processes spawned by Renovate (i.e. `npm install`, anything defined in [`postUpgradeTasks`](https://docs.renovatebot.com/configuration-options/#postupgradetasks) or [`postUpdateOptions`](https://docs.renovatebot.com/configuration-options/#postupdateoptions)) will have full access to the environment variables that the Renovate process has. \n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack) being able to exflitrate secrets from the Renovate deployment.\n\n## Patches\n\nThis is patched in [42.96.3](https://github.com/renovatebot/renovate/releases/tag/42.96.3) and [43.4.4](https://github.com/renovatebot/renovate/releases/tag/43.4.4).\n\n## Workarounds\n\nThere are no workarounds, other than upgrading your Renovate version.\n\n## Why did this happen?\n\nAs part of work towards https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96, one of the [preparatory changes](https://github.com/renovatebot/renovate/pull/40212) we made was moving to [`execa`](https://www.npmjs.com/package/execa).\n\nOne of the default behaviours of `execa` is to [extend the process\u0027 environment variables with any new ones](https://github.com/sindresorhus/execa/tree/v8.0.1?tab=readme-ov-file#extendenv), rather than override them.\n\nThis was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with `execa` by Renovate.\n\nThis was discovered as part of an unrelated change.",
  "id": "GHSA-8wc6-vgrq-x6cf",
  "modified": "2026-02-13T20:53:58Z",
  "published": "2026-02-13T20:53:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-8wc6-vgrq-x6cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/renovatebot/renovate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/renovatebot/renovate/releases/tag/42.96.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/renovatebot/renovate/releases/tag/43.4.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Child processes spawned by Renovate incorrectly have full access to environment variables"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.