js · @merill/lokkaCritical
@merill/lokka prior to 2.1.2: Azure token leak via unvalidated path concatenation
Lokka versions before 2.1.2 built Azure Resource Manager request URLs by directly concatenating user-controlled path input, potentially leaking bearer tokens to
What changed
Lokka versions before 2.1.2 built Azure Resource Manager request URLs by directly concatenating user-controlled path input, potentially leaking bearer tokens to unintended hosts. Version 2.1.2 validates Azure paths before token acquisition and uses the standard URL API for URL construction.
Who it affects
Users of @merill/lokka versions prior to 2.1.2.
What to do today
Upgrade to version 2.1.2 or later immediately.
The trail
Collected→
Audited→
Written→
Published