AIKIDO-2025-10968
mintlify is vulnerable to Use of third-party component with multiple disclosed vulnerabilities
50
Medium Risk
This Affects:
mintlifyTL;DR
Affected versions of this package are vulnerable to a chain of security flaws including cross-tenant static asset access, a path traversal bypass, insecure cross-domain data endpoints, server-side rendering code execution, a site downgrade attack, and an IDOR in the dashboard. An attacker could exploit these in concert, for instance by uploading a malicious SVG via one vulnerability to execute cross-site scripting (XSS) on another customer's domain, potentially compromising user sessions and data. All issues have been fixed; the maintainer has added a deprecation notice on npm installs for vulnerable versions, and users must upgrade immediately.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mintlify is vulnerable to Use of third-party component with multiple disclosed vulnerabilities in versions 0.1.0 - 4.2.210.
How to fix this
Upgrade the mintlify library to the patch version.
Links
mintlify.com/blog/working-with-security-researchers-november-2025
gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28heartbreak.ingkibty.town/blog/mintlify/news.ycombinator.com/item?id=46317098mintlify.com/docs/changelog
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant