Intel

AIKIDO-2026-193053

pusher is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

28

Low Risk

This Affects:

JSpusher
2.2.0 - 5.3.3
Fixed in 5.3.4
Are you affected? Scan for Free

TL;DR

The Config constructor in lib/config.js validates the encryptionMasterKey and encryptionMasterKeyBase64 options and throws an error when the supplied key is not the expected length. Before the fix, those error messages concatenated the raw user-provided key value directly into the thrown error string. If that error propagated to application logs, error trackers, or HTTP responses, the secret encryption master key material was exposed to anyone able to read those sinks. The fix redacts the key value and reports only its length.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure end-to-end encryption with an encryptionMasterKey or encryptionMasterKeyBase64 of an invalid length whose resulting error is surfaced to logs, error trackers, or responses.

Background info

pusher is vulnerable to Exposure of Sensitive Information in versions 2.2.0 - 5.3.3.

How to fix this

Upgrade the pusher library to the patch version.