Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit dd3c1d1b5d43 · 2026-03-30T17:12:40.000Z
GHSA-v9p7-gf3q-h779 GHSA-x2f5-332j-9xwq
diff --git a/advisories/github-reviewed/2026/03/GHSA-v9p7-gf3q-h779/GHSA-v9p7-gf3q-h779.json b/advisories/github-reviewed/2026/03/GHSA-v9p7-gf3q-h779/GHSA-v9p7-gf3q-h779.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v9p7-gf3q-h779",
+  "modified": "2026-03-30T17:07:54Z",
+  "published": "2026-03-30T17:07:53Z",
+  "aliases": [
+    "CVE-2026-33949"
+  ],
+  "summary": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files",
+  "details": "### Summary\nA Path Traversal vulnerability in `@tinacms/graphql` allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the `relativePath` parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts.\n\n### Details\nThe vulnerability exists in the path validation logic within `@tinacms/graphql`. Specifically, the regex-based validation in `getValidatedPath` fails to recognize backslashes (`\\`) as directory separators on non-Windows platforms (Mac/Linux). An attacker can provide a path like `x\\..\\..\\..\\package.json`, which bypasses the validation check but is subsequently treated as a traversal path during file I/O operations by the underlying `fs` modules and path normalization utilities.\n\nIncriminated code areas:\n- [packages/@tinacms/graphql/src/database/bridge/filesystem.ts](tinacms/packages/@tinacms/graphql/src/database/bridge/filesystem.ts): [assertWithinBase](tinacms/graphql/src/database/bridge/filesystem.ts#7-35) function.\n- [packages/@tinacms/graphql/src/resolver/index.ts](tinacms/packages/@tinacms/graphql/src/resolver/index.ts): `getValidatedPath` function.\n\n### PoC\n1. Start the TinaCMS development server.\n2. Send a malicious GraphQL mutation to overwrite a project file (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json)):\n\n```bash\ncurl -X POST http://localhost:4001/graphql \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"query\": \"mutation { updateDocument(collection: \\\"global\\\", relativePath: \\\"x\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\\\", params: { global: { header: { name: \\\"OVERWRITTEN\\\" } } }) { __typename } }\"}'\n```\n\n3. Observe that the root [package.json](tinacms/examples/tina-self-hosted-demo/package.json) has been replaced with the provided payload.\n\n<img width=\"1424\" height=\"516\" alt=\"2026-03-15_12-24-05 PM\" src=\"https://github.com/user-attachments/assets/9fdf94ce-2183-4a24-9cd9-48f21deb9768\" />\n\n<img width=\"1387\" height=\"774\" alt=\"2026-03-15_12-27-33 PM\" src=\"https://github.com/user-attachments/assets/676f083b-f934-4cf2-978b-bb2fabee0216\" />\n\n### Impact\nThis is an **Arbitrary File Write** vulnerability. Any unauthenticated user with network access to the GraphQL API can:\n- Overwrite critical server configuration files (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json), [tsconfig.json](tinacms/examples/tina-self-hosted-demo/tsconfig.json)).\n- Host malicious scripts in the `public/` directory for client-side attacks.\n- Perform **Arbitrary Code Execution** by modifying build scripts or server-side logic files that are subsequently executed by the environment.\n\n\n\n**Weaknesses:**\n- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n- **CWE-73**: External Control of File Name or Path",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@tinacms/graphql"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/tinacms/tinacms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22",
+      "CWE-73"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T17:07:53Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-x2f5-332j-9xwq/GHSA-x2f5-332j-9xwq.json b/advisories/github-reviewed/2026/03/GHSA-x2f5-332j-9xwq/GHSA-x2f5-332j-9xwq.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x2f5-332j-9xwq",
+  "modified": "2026-03-30T17:08:25Z",
+  "published": "2026-03-30T17:08:25Z",
+  "aliases": [
+    "CVE-2026-33990"
+  ],
+  "summary": "Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF)",
+  "details": "## Summary\nDocker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's `WWW-Authenticate` header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., `http://127.0.0.1:3000/`), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the `Authorization: Bearer` header.\n\n## Patches\nFixed in Docker Model Runner v1.1.25\nDocker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.\n\n## Workarounds\nFor Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.\n\n## Impact\nAn unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/docker/model-runner"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.25"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/docker/model-runner/security/advisories/GHSA-x2f5-332j-9xwq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/docker/model-runner"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T17:08:25Z",
+    "nvd_published_at": null
+  }
+}
