{"url":"http://public2.vulnerablecode.io/api/packages/83075?format=json","purl":"pkg:npm/%40cyclonedx/cdxgen@11.1.7","type":"npm","namespace":"@cyclonedx","name":"cdxgen","version":"11.1.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"12.3.3","latest_non_vulnerable_version":"12.3.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95740?format=json","vulnerability_id":"VCID-ua5y-9jg6-zuhq","summary":"@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry\n# Docker registry auth substring match forwards credentials to a different registry\n\n## Repository\n\n`cdxgen/cdxgen`\n\n## Affected product/package\n\n- Ecosystem: npm\n- Package: `@cyclonedx/cdxgen`\n- Reviewed tree version: `12.3.3`\n- Reviewed commit: `b1e179869fd7c6032c3d483c3f7bd4d7154ec22b`\n- Affected file: `lib/managers/docker.js`\n- Affected from: v9.9.5\n\nThe Single Executable Applications (SEA) binaries and container images are also affected.\n\n## Weakness\n\nCWE-522 / CWE-346.\n\n## Summary\n\nWhen cdxgen scans or pulls container images through the Docker daemon API, it builds an `X-Registry-Auth` header from Docker credentials in `DOCKER_CONFIG/config.json`. The credential selection logic matches configured registry keys with substring checks:\n\n```js\nif (forRegistry && !serverAddress.includes(forRegistry)) {\n  continue;\n}\n```\n\nThis is not an origin-safe registry comparison. For example, credentials configured for `private-registry.example.com` are selected for a requested image under `registry.example.com`, because:\n\n```js\n\"private-registry.example.com\".includes(\"registry.example.com\") === true\n```\n\nThe selected credentials are then serialized into `X-Registry-Auth` for the Docker API pull request targeting the requested registry.\n\n## Reproduction\n\nUse the attached/local proof:\n\n```sh\nnode submissions/github-gsa/cdxgen-docker-registry-auth-substring-forwarding/evidence/cdxgen_docker_registry_auth_substring_probe.mjs\n```\n\nThe proof is fully local. It creates a temporary Docker config containing credentials for `private-registry.example.com`, starts a localhost mock Docker API endpoint, sets `DOCKER_HOST` to that endpoint, then calls cdxgen's exported Docker request path for a pull from `registry.example.com`.\n\nObserved vulnerable output:\n\n```json\n{\n  \"decision\": \"GO\",\n  \"dockerConfigAuthHost\": \"private-registry.example.com\",\n  \"requestedRegistry\": \"registry.example.com\",\n  \"substringMatch\": true,\n  \"dockerApiUrl\": \"/images/create?fromImage=registry.example.com/team/app:latest\",\n  \"headerPresent\": true,\n  \"decodedHeader\": {\n    \"username\": \"trusted-user\",\n    \"password\": \"trusted-pass\",\n    \"serveraddress\": \"private-registry.example.com\"\n  }\n}\n```\n\n## Impact\n\nIf an operator has Docker credentials for a private registry and uses cdxgen to scan an image from a different registry whose hostname is a substring of that private registry hostname, cdxgen can attach the private registry credentials to the Docker pull request for the different registry.\n\nIn a realistic attack, an attacker who controls or can observe the requested registry can induce a victim to scan an image from that registry. The Docker daemon API receives an `X-Registry-Auth` payload containing credentials for the victim's private registry but associated with the attacker-requested pull. This is a credential forwarding/misbinding issue in cdxgen's container image handling.\n\n\n## References\n\nFunctions `normalizeRegistryHost` and `registriesMatch` added to normalize and perform strict host matching.\n\nFix PR: https://github.com/cdxgen/cdxgen/pull/3964\n\nResearcher: Francesco SabiuResearcher: Francesco Sabiu","references":[{"reference_url":"https://github.com/cdxgen/cdxgen","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cdxgen/cdxgen"},{"reference_url":"https://github.com/cdxgen/cdxgen/security/advisories/GHSA-qhh4-458h-xwh2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cdxgen/cdxgen/security/advisories/GHSA-qhh4-458h-xwh2"},{"reference_url":"https://github.com/advisories/GHSA-qhh4-458h-xwh2","reference_id":"GHSA-qhh4-458h-xwh2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qhh4-458h-xwh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119856?format=json","purl":"pkg:npm/%40cyclonedx/cdxgen@12.3.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540cyclonedx/cdxgen@12.3.3"}],"aliases":["GHSA-qhh4-458h-xwh2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ua5y-9jg6-zuhq"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56095?format=json","vulnerability_id":"VCID-956t-21xr-sbdu","summary":"CycloneDX cdxgen may execute code contained within build-related files\nCycloneDX cdxgen prior to 11.1.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50611","reference_id":"","reference_type":"","scores":[{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32015","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32006","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31983","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32084","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32052","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50611"},{"reference_url":"https://github.com/CycloneDX/cdxgen","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CycloneDX/cdxgen"},{"reference_url":"https://github.com/CycloneDX/cdxgen/issues/1328","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-30T18:20:40Z/"}],"url":"https://github.com/CycloneDX/cdxgen/issues/1328"},{"reference_url":"https://github.com/CycloneDX/cdxgen/pull/1614","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CycloneDX/cdxgen/pull/1614"},{"reference_url":"https://github.com/CycloneDX/cdxgen/releases","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-30T18:20:40Z/"}],"url":"https://github.com/CycloneDX/cdxgen/releases"},{"reference_url":"https://github.com/CycloneDX/cdxgen/releases/tag/v11.1.7","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CycloneDX/cdxgen/releases/tag/v11.1.7"},{"reference_url":"https://owasp.org/www-project-dep-scan","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://owasp.org/www-project-dep-scan"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50611","reference_id":"CVE-2024-50611","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50611"},{"reference_url":"https://github.com/advisories/GHSA-hxf3-vgpm-fv9p","reference_id":"GHSA-hxf3-vgpm-fv9p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxf3-vgpm-fv9p"},{"reference_url":"https://owasp.org/www-project-dep-scan/","reference_id":"www-project-dep-scan","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-30T18:20:40Z/"}],"url":"https://owasp.org/www-project-dep-scan/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83075?format=json","purl":"pkg:npm/%40cyclonedx/cdxgen@11.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ua5y-9jg6-zuhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540cyclonedx/cdxgen@11.1.7"}],"aliases":["CVE-2024-50611","GHSA-hxf3-vgpm-fv9p"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-956t-21xr-sbdu"}],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540cyclonedx/cdxgen@11.1.7"}