{"url":"http://public2.vulnerablecode.io/api/packages/380456?format=json","purl":"pkg:npm/%40tinacms/cli@1.0.9","type":"npm","namespace":"@tinacms","name":"cli","version":"1.0.9","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.6.2","latest_non_vulnerable_version":"2.1.8","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/128866?format=json","vulnerability_id":"VCID-ea36-qvq8-vkbd","summary":"Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25164","reference_id":"","reference_type":"","scores":[{"value":"0.00372","scoring_system":"epss","scoring_elements":"0.59358","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25164"},{"reference_url":"https://github.com/tinacms/tinacms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinacms/tinacms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25164","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25164"},{"reference_url":"https://github.com/tinacms/tinacms/pull/3584","reference_id":"3584","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/tinacms/tinacms/pull/3584"},{"reference_url":"https://github.com/advisories/GHSA-pc2q-jcxq-rjrr","reference_id":"GHSA-pc2q-jcxq-rjrr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pc2q-jcxq-rjrr"},{"reference_url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr","reference_id":"GHSA-pc2q-jcxq-rjrr","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:57Z/"}],"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380456?format=json","purl":"pkg:npm/%40tinacms/cli@1.0.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@1.0.9"}],"aliases":["CVE-2023-25164","GHSA-pc2q-jcxq-rjrr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ea36-qvq8-vkbd"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@1.0.9"}