Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/961806?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/961806?format=api", "purl": "pkg:npm/renovate@42.92.0", "type": "npm", "namespace": "", "name": "renovate", "version": "42.92.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "42.96.3", "latest_non_vulnerable_version": "43.102.11", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50128?format=api", "vulnerability_id": "VCID-thg8-1rbz-xbf5", "summary": "Child processes spawned by Renovate incorrectly have full access to environment variables\nWhen Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.\n\nSince [42.68.1](https://github.com/renovatebot/renovate/releases/tag/42.68.1) (2025-12-30), this filtering had been **inadvertently removed**, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.\n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack) being able to exflitrate secrets from the Renovate deployment.\n\nIt is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.", "references": [ { "reference_url": "https://github.com/renovatebot/renovate", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/renovatebot/renovate" }, { "reference_url": "https://github.com/renovatebot/renovate/releases/tag/42.96.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/renovatebot/renovate/releases/tag/42.96.3" }, { "reference_url": "https://github.com/renovatebot/renovate/releases/tag/43.4.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/renovatebot/renovate/releases/tag/43.4.4" }, { "reference_url": "https://github.com/advisories/GHSA-8wc6-vgrq-x6cf", "reference_id": "GHSA-8wc6-vgrq-x6cf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8wc6-vgrq-x6cf" }, { "reference_url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-8wc6-vgrq-x6cf", "reference_id": "GHSA-8wc6-vgrq-x6cf", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-8wc6-vgrq-x6cf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74027?format=api", "purl": "pkg:npm/renovate@42.96.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/renovate@42.96.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/74028?format=api", "purl": "pkg:npm/renovate@43.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/renovate@43.4.4" } ], "aliases": [ "GHSA-8wc6-vgrq-x6cf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-thg8-1rbz-xbf5" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/renovate@42.92.0" }