SCA: security update for gatsby (GHSA-c6f8-8r25-c4gc)

medium Tenable Cloud Security Plugin ID 413709

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7
and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-
frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the
development server could potentially be exposed. It should be noted that by default `gatsby develop` is
only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to
other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H
0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `[email protected]`
and `[email protected]` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade
should avoid exposing their development server to the internet. (CVE-2023-34238)

See Also

https://github.com/advisories/GHSA-c6f8-8r25-c4gc

Plugin Details

Severity: Medium

ID: 413709

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-34238

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/9/2023

Vulnerability Publication Date: 6/7/2023

Reference Information

CVE: CVE-2023-34238

cwe: CWE-22