AIKIDO-2026-10325
github.com/caioricciuti/ch-ui is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
47
Medium Risk
This Affects:
github.com/caioricciuti/ch-uiTL;DR
Affected versions of this package expose application environment variables to the client-side through injected scripts, causing sensitive configuration values (e.g., service URLs, usernames, and potentially credentials) to be visible in the browser console. This leakage can allow attackers to enumerate internal infrastructure details and obtain credentials or tokens that should remain server-side. An attacker could simply access the web application, inspect the browser console or bundled JavaScript, and retrieve the exposed variables to connect directly to backend services (e.g., ClickHouse), pivot into internal systems, or abuse privileged API access.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/caioricciuti/ch-ui is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 1.5.10 - 1.6.3.
How to fix this
Upgrade the github.com/caioricciuti/ch-ui library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant