DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QHH4-458H-XWH2: GHSA-qhh4-458h-xwh2: Credential Leakage via Origin Validation Error in cdxgen

#security #cve #cybersecurity #ghsa

GHSA-qhh4-458h-xwh2: Credential Leakage via Origin Validation Error in cdxgen

Vulnerability ID: GHSA-QHH4-458H-XWH2
CVSS Score: 5.3
Published: 2026-05-08

The @cyclonedx/cdxgen package is vulnerable to credential leakage due to improper Docker registry origin validation. A flaw in how registry authentication endpoints are matched against configured credentials allows arbitrary downstream registries to capture private credentials.

TL;DR

Versions 9.9.5 through 12.3.2 of @cyclonedx/cdxgen leak Docker registry credentials due to an insecure substring matching implementation. Upgrading to version 12.3.3 resolves the vulnerability by introducing strict hostname normalization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-346, CWE-522
  • Attack Vector: Network
  • CVSS v4.0: 5.3 (Medium)
  • Impact: Credential Leakage
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • macOS / Linux / Windows running Node.js and @cyclonedx/cdxgen < 12.3.3
  • CI/CD pipelines utilizing vulnerable versions for SBOM generation
  • Docker Daemon instances invoked by vulnerable cdxgen processes
  • @cyclonedx/cdxgen: >= 9.9.5, < 12.3.3 (Fixed in: 12.3.3)

Code Analysis

Commit: b1e1798

Fix: Implement strict hostname normalization and validation for Docker registry authentication mapping.

Mitigation Strategies

  • Upgrade @cyclonedx/cdxgen to version 12.3.3 or later.
  • Rotate Docker registry credentials used in environments that previously ran vulnerable versions.
  • Implement strict egress network filtering on CI/CD build nodes to prevent unauthorized outbound connections.
  • Utilize dynamic, short-lived authentication tokens instead of static configurations in ~/.docker/config.json.

Remediation Steps:

  1. Identify all global and local installations of @cyclonedx/cdxgen across developer machines and build servers.
  2. Execute the update command: npm install -g @cyclonedx/cdxgen@latest
  3. Verify the installed version using: cdxgen --version (Must output >= 12.3.3).
  4. Revoke and regenerate service account tokens used by CI/CD pipelines for internal Docker registries.

References

Read the full report for GHSA-QHH4-458H-XWH2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)