DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8WC6-VGRQ-X6CF: Renovate's TMI: When Automation Leaks the Keys to the Kingdom

#security #cve #cybersecurity #ghsa

Renovate's TMI: When Automation Leaks the Keys to the Kingdom

Vulnerability ID: GHSA-8WC6-VGRQ-X6CF
CVSS Score: 5.5
Published: 2026-02-13

A critical regression in Renovate's process execution logic allowed child processes to inherit the full set of parent environment variables. This accidentally exposed sensitive CI/CD credentials—such as GitHub PATs and NPM tokens—to untrusted scripts running during package updates.

TL;DR

Renovate switched to a new library (execa) for running commands but missed a default setting that merges environment variables. Consequently, npm install scripts and postUpgradeTasks ran with full access to Renovate's secrets. Fixed in 42.96.3 and 43.4.4.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-526 (Env Var Exposure)
  • Attack Vector: Local / CI Environment
  • CVSS: 5.5 (Medium)
  • Affected Component: lib/util/exec/common.ts
  • Impact: Information Disclosure (Credentials)
  • Exploit Status: Conceptual / PoC Available

Affected Systems

  • Renovate CLI (Self-hosted)
  • Renovate Docker Images
  • CI/CD Pipelines running Renovate
  • Renovate: >= 42.68.1 < 42.96.3 (Fixed in: 42.96.3)
  • Renovate: >= 43.0.0 < 43.4.4 (Fixed in: 43.4.4)

Code Analysis

Commit: 9b59ffd

fix(exec): explicitly disable env inheritance

--- a/lib/util/exec/common.ts
+++ b/lib/util/exec/common.ts
@@ -129,6 +129,7 @@ export function exec(
       detached: process.platform !== 'win32',
       shell,
+      extendEnv: false,
     });
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Disable execution of postUpgradeTasks where possible
  • Restrict Renovate's token scopes to minimum necessity
  • Monitor network egress from Renovate runners

Remediation Steps:

  1. Upgrade Renovate to version 42.96.3 or 43.4.4.
  2. Identify all secrets (PATs, API keys) accessible to the Renovate runner environment.
  3. Revoke and rotate all identified secrets immediately.
  4. Audit logs for unusual network activity or unexpected command execution during the vulnerability window.

References

Read the full report for GHSA-8WC6-VGRQ-X6CF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)