AIKIDO-2025-10919
happy-coder is vulnerable to Insertion of Sensitive Information into Log File
35
Low Risk
This Affects:
happy-coderTL;DR
Affected versions of this package are vulnerable to Information Disclosure, where Expo push notification device tokens are logged in plaintext to local debug log files stored in ~/.happy/logs/ or ~/.happy-dev/logs/. These security-sensitive credentials are logged with standard file permissions, making them readable by other processes running as the same user. An attacker who gains user-level access to the machine can read the log files to extract push tokens, enabling unauthorized actions such as sending impersonating push notifications, crafting phishing alerts, tracking specific user devices, or spamming users with denial-of-service attacks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
happy-coder is vulnerable to Insertion of Sensitive Information into Log File in versions 0.1.5 - 0.11.2.
How to fix this
Upgrade the happy-coder library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant