pusher is vulnerable to Exposure of Sensitive Information
28
Low Risk
The Config constructor in lib/config.js validates the encryptionMasterKey and encryptionMasterKeyBase64 options and throws an error when the supplied key is not the expected length. Before the fix, those error messages concatenated the raw user-provided key value directly into the thrown error string. If that error propagated to application logs, error trackers, or HTTP responses, the secret encryption master key material was exposed to anyone able to read those sinks. The fix redacts the key value and reports only its length.
You are affected if you are using a version that falls within the vulnerable range and configure end-to-end encryption with an encryptionMasterKey or encryptionMasterKeyBase64 of an invalid length whose resulting error is surfaced to logs, error trackers, or responses.
pusher is vulnerable to Exposure of Sensitive Information in versions 2.2.0 - 5.3.3.
Upgrade the pusher library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant