{"url":"http://public2.vulnerablecode.io/api/packages/373849?format=json","purl":"pkg:npm/renovate@43.102.11","type":"npm","namespace":"","name":"renovate","version":"43.102.11","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"37.199.0","latest_non_vulnerable_version":"43.102.11","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359846?format=json","vulnerability_id":"VCID-wvrv-6eck-vkcr","summary":"Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance\nWhen using [`lockFileMaintenance`](https://docs.renovatebot.com/configuration-options/#lockfilemaintenance) using the [bazel-module](https://docs.renovatebot.com/modules/manager/bazel-module/) or [bazelisk](https://docs.renovatebot.com/modules/manager/bazelisk/) managers between Renovate [43.65.0](https://github.com/renovatebot/renovate/releases/tag/43.65.0) (2026-03-12) and [43.102.11](https://github.com/renovatebot/renovate/releases/tag/43.102.11) (2026-04-02), there was the opportunity for remote code execution from a malicious dependency, _if the Bazel module executes code that relies on a dependency_.\n\nAs this is an \"unsafe\" execution path, we have disabled this by default, and self-hosted administrators must add it to the [`allowedUnsafeExecutions`](https://docs.renovatebot.com/self-hosted-configuration/#allowedunsafeexecutions) allowlist.\n\nIt is recommended to review whether you have enabled this functionality for these managers, and if so, whether any dependency updates may have led to remote code execution.\n\n## Impact\n\nIf Renovate suggested an update to a malicious dependency, _and_ that dependency is referenced as part of the `bazel mod deps` call - for instance as part of a `ctx.execute` call - this would call attacker-controlled code.\n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack), executing code that is distributed as part of the package.\n \n## Patches\n\nThis is patched in [43.102.11](https://github.com/renovatebot/renovate/releases/tag/43.102.11).\n\nThis does not affect any versions of [Mend Renovate Self-Hosted](https://www.mend.io/renovate/).\n\n## Workarounds\n\n- Upgrade your Renovate version\n- Disable `lockFileMaintenance` for these managers\n\n## Why did this happen?\n\nThis was missed in code review (as part of https://github.com/renovatebot/renovate/pull/41507).","references":[{"reference_url":"https://github.com/renovatebot/renovate","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate"},{"reference_url":"https://github.com/renovatebot/renovate/releases/tag/43.102.11","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/releases/tag/43.102.11"},{"reference_url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373849?format=json","purl":"pkg:npm/renovate@43.102.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@43.102.11"}],"aliases":["GHSA-5vjq-5jmg-39xq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wvrv-6eck-vkcr"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@43.102.11"}