Login Sign Up

CVE-2020-11059

9.6 CRITICAL

📋 TL;DR

This vulnerability in AEgir's build and publish commands leaks sensitive environment variables (like API keys, passwords) into publicly accessible npm packages. Anyone using AEgir versions 21.7.0 through 21.10.0 for publishing JavaScript packages is affected, potentially exposing their secrets to anyone who downloads the published package.

💻 Affected Systems

Products:
  • AEgir
Versions: >=21.7.0, <21.10.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who run 'aegir publish' or 'aegir build' commands with sensitive environment variables set.

📦 What is this software?

Aegir by Aegir Project

View all CVEs affecting Aegir →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain production API keys, database credentials, or other secrets, leading to complete system compromise, data theft, or unauthorized access to connected services.

🟠

Likely Case

Secrets embedded in published packages are discovered through package inspection, enabling attackers to access associated services (cloud platforms, APIs, databases) with stolen credentials.

🟢

If Mitigated

If secrets are properly managed (not in environment variables used by AEgir) or packages aren't publicly published, impact is minimal to none.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only downloading and inspecting published npm packages; no authentication or special access needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.10.1

Vendor Advisory: https://github.com/ipfs/aegir/security/advisories/GHSA-qfcv-5whw-7pcw

Restart Required: No

Instructions:

1. Update AEgir to version 21.10.1 or later using npm: 'npm update aegir' or 'yarn upgrade aegir'. 2. Verify the update with 'aegir --version'. 3. Rebuild and republish any packages created with vulnerable versions to remove leaked secrets.

🔧 Temporary Workarounds

Avoid sensitive environment variables

all

Do not set secrets in environment variables when running 'aegir publish' or 'aegir build' commands.

unset SENSITIVE_VAR_NAME
export SENSITIVE_VAR_NAME=''

Use alternative build tools

all

Temporarily switch to other build/publish tools until AEgir is patched.

🧯 If You Can't Patch

  • Immediately rotate all secrets that might have been exposed in published packages.
  • Audit and unpublish any npm packages built with vulnerable AEgir versions to prevent further exposure.

🔍 How to Verify

Check if Vulnerable:

Check AEgir version with 'aegir --version' or 'npm list aegir'; if version is between 21.7.0 and 21.10.0 inclusive, you are vulnerable.

Check Version:

aegir --version

Verify Fix Applied:

After updating, confirm version is 21.10.1 or higher with 'aegir --version'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to services using secrets that might have been leaked

Network Indicators:

  • Unexpected connections from IPs downloading your npm packages

SIEM Query:

Search for successful authentications using secrets that match those in your environment variables, especially from new/unexpected sources.

📊 Metadata

CVE ID: CVE-2020-11059
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-200
Published: May 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11059, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)