semantic-release is vulnerable to Exposure of Sensitive Information
41
Medium Risk
The secret-masking logic in lib/hide-sensitive.js builds its redaction pattern from only the raw secret value and its encodeURI form. When the package embeds Git credentials into a repository URL it uses url.format(), which percent-encodes characters such as =, &, and # that encodeURI leaves untouched, producing a credential form the mask does not match. As a result, secrets containing those characters can appear unredacted in command output and logs, for example when a git command fails and the authenticated URL is printed. The fix expands the redaction candidates to also cover encodeURIComponent and the colon-preserving url.format() encoding.
You are affected if you are using a version that falls within the vulnerable range and your secret token or password contains characters that get percent-encoded in URLs, such as =, &, or #.
semantic-release is vulnerable to Exposure of Sensitive Information in versions 19.0.3 - 25.0.5.
Upgrade the semantic-release library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant