Headline
CVE-2023-25164: Only expose `NEXT_PUBLIC_*` and `TINA_PUBLIC_*` ENV vars by logan-anderson · Pull Request #3584 · tinacms/tinacms
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you’re on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/[email protected]. Users are advised to upgrade. There are no known workarounds for this issue.
Fixes #3579 by exposing NODE_ENV, NEXT_PUBLIC_, TINA_PUBLIC_, and HEAD (for integration with Netifly) environment vars in the admin.
–
Update:
To address this, update @tinacms/cli to the latest patch 1.0.9. If you’re on a version prior to 1.0.0 this vulnerability does not affect you.
Tina credentials like the API token are not considered especially vulnerable because they’re for read-only access. Nevertheless, it may be a good idea to update them.
More importantly, if your Tina-enabled website has other credentials (eg. Algolia API keys) you should rotate those keys immediately.
Going forward, if you’re using environment variables in any field customization (ie. ui.component functions), you’ll need to make sure those are prefixed with TINA_PUBLIC_ (NEXT_PUBLIC_ is also supported).