Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor


Severity High
Score 0/10


Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.7, and 5.X before 5.9.1, and 5.10.0-alpha-wordpress.X before 5.10.0-alpha-wordpress.5, and 5.10.0-next.x before 5.10.0-next.2, leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in [email protected] and [email protected] which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`. One may manually edit the app.js file post-build as a workaround.

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

Advisory Timeline

  • Published