Skip to content

[GHSA-x2jc-989c-47q4] Hexo up to v7.0.0 (RC2) was discovered to contain an... #6088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 4, 2025
Merged

[GHSA-x2jc-989c-47q4] Hexo up to v7.0.0 (RC2) was discovered to contain an... #6088

merged 1 commit into from
Sep 4, 2025

Conversation

uiolee
Copy link

@uiolee uiolee commented Sep 4, 2025

Updates

  • Affected products
  • CVSS v3
  • Description
  • Severity
  • Source code location
  • Summary

Comments
add more detail

@Copilot Copilot AI review requested due to automatic review settings September 4, 2025 13:09
@github-actions github-actions bot changed the base branch from main to uiolee/advisory-improvement-6088 September 4, 2025 13:10
Copilot
Copilot AI reviewed Sep 4, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates a security advisory for Hexo's arbitrary file read vulnerability (GHSA-x2jc-989c-47q4) by adding comprehensive details including affected package information, proper CVSS scoring, and additional references.

  • Updates CVSS score from HIGH to LOW severity with more accurate vector scoring
  • Adds complete affected package information for npm ecosystem with version ranges
  • Includes additional source code reference and corrects version details

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

advisories/unreviewed/2023/09/GHSA-x2jc-989c-47q4/GHSA-x2jc-989c-47q4.json
"published": "2023-09-08T15:30:18Z",
"aliases": [
"CVE-2023-39584"
],
"details": "Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.",
"summary": "hexo \"include_code\" path traversal",
"details": "Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.",
Copy link
Preview

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The details field should provide more specific information about the vulnerability mechanism. Consider adding details about the path traversal nature of the vulnerability and the affected 'include_code' functionality as indicated in the summary.

Suggested change
"details": "Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.",
"details": "Hexo up to v7.1.1 contains a path traversal vulnerability in the 'include_code' functionality. By supplying crafted input to the 'include_code' tag, an attacker can read arbitrary files from the server's filesystem outside the intended directory. This issue allows unauthorized access to sensitive files via directory traversal.",

Copilot uses AI. Check for mistakes.

advisories/unreviewed/2023/09/GHSA-x2jc-989c-47q4/GHSA-x2jc-989c-47q4.json
@@ -27,6 +51,10 @@
"type": "WEB",
"url": "https://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49"
},
{
"type": "PACKAGE",
Copy link
Preview

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reference type should be 'WEB' instead of 'PACKAGE' for consistency with the existing source code reference. The 'PACKAGE' type is typically reserved for package registry URLs.

Suggested change
"type": "PACKAGE",
"type": "WEB",

Copilot uses AI. Check for mistakes.

@advisory-database advisory-database bot merged commit ef87364 into uiolee/advisory-improvement-6088 Sep 4, 2025
4 checks passed
@advisory-database
Copy link
Contributor

Hi @uiolee! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the uiolee-GHSA-x2jc-989c-47q4 branch September 4, 2025 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@uiolee