Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/%40powersync/service-sync-rules@0.33.0 |
|---|
| Type | npm |
|---|
| Namespace | @powersync |
|---|
| Name | service-sync-rules |
|---|
| Version | 0.33.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-1152-dmqv-akh4 |
| vulnerability_id |
VCID-1152-dmqv-akh4 |
| summary |
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`
In version **1.20.0**, when using new sync streams with `config.edition: 3`, certain subquery filters were ignored when determining which data to sync to users.
Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted.
Only queries that gate synchronization using subqueries without partitioning the result set are affected.
Not affected:
* Sync rules (bucket_definitions)
* Sync streams using `config.edition: 2`
* No data is exposed without authenticating |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-30870, GHSA-q6wc-xx4m-92fj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1152-dmqv-akh4 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/%2540powersync/service-sync-rules@0.33.0 |
|---|