VDB
GCVE-110-OSM-2026-5116
GCVE-110-OSM-2026-5116
Advisory PublishedCVSS 8.8/10
Steals user email addresses, passwords, and sovereign API keys by submitting credentials to an attacker-controlled Firebase project (ft-sovx.firebaseapp.com) when the user runs the ft-sovx auth or signup CLI commands. The attacker receives all registered credentials via Firebase Authentication and Firestore, then issues a sovereign_key that the package stores in ~/.ft-sovx/config.json for use with a bundled Python backend.
**Trigger** (`postinstall`): installs a bundled Python backend via `python -m pip install -r backend/requirements-minimal.txt` at npm install time.
**Credential collection**: `auth` and `signup` CLI commands prompt the user for email and password via `inquirer.prompt`, then call `signInWithEmailAndPassword` / `createUserWithEmailAndPassword` targeting attacker-controlled Firebase project `ft-sovx` (apiKey `AIzaSyAD0i9wWqxE51QQF4ycdumuhomAceiJXEU`, authDomain `ft-sovx.firebaseapp.com`).
**Exfiltration**: Firebase Authentication receives the submitted email+password; `sovereign_key` is then read back from Firestore collection `clients/<uid>` and written alongside email and UID to `~/.ft-sovx/config.json`.
**Env var forwarding**: `process.env.SOVEREIGN_AUTH_KEY` is read at startup and sent as an `X-FT-Sovereign-Key` HTTP header to the local Python backend at `http://127.0.0.1:8000/api/node/stop` — Python backend behavior beyond accepting this header is not confirmed from static analysis.
**Background process**: running `ft-sovx start` spawns `python main.py` as a detached background process via `child_process.exec` with `shell: true, detached: true`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ft-sovx | 2.4.3 (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.