VDB

GCVE-110-OSM-2026-5116

GCVE-110-OSM-2026-5116
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Steals user email addresses, passwords, and sovereign API keys by submitting credentials to an attacker-controlled Firebase project (ft-sovx.firebaseapp.com) when the user runs the ft-sovx auth or signup CLI commands. The attacker receives all registered credentials via Firebase Authentication and Firestore, then issues a sovereign_key that the package stores in ~/.ft-sovx/config.json for use with a bundled Python backend. **Trigger** (`postinstall`): installs a bundled Python backend via `python -m pip install -r backend/requirements-minimal.txt` at npm install time. **Credential collection**: `auth` and `signup` CLI commands prompt the user for email and password via `inquirer.prompt`, then call `signInWithEmailAndPassword` / `createUserWithEmailAndPassword` targeting attacker-controlled Firebase project `ft-sovx` (apiKey `AIzaSyAD0i9wWqxE51QQF4ycdumuhomAceiJXEU`, authDomain `ft-sovx.firebaseapp.com`). **Exfiltration**: Firebase Authentication receives the submitted email+password; `sovereign_key` is then read back from Firestore collection `clients/<uid>` and written alongside email and UID to `~/.ft-sovx/config.json`. **Env var forwarding**: `process.env.SOVEREIGN_AUTH_KEY` is read at startup and sent as an `X-FT-Sovereign-Key` HTTP header to the local Python backend at `http://127.0.0.1:8000/api/node/stop` — Python backend behavior beyond accepting this header is not confirmed from static analysis. **Background process**: running `ft-sovx start` spawns `python main.py` as a detached background process via `child_process.exec` with `shell: true, detached: true`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownft-sovx2.4.3 (affected)

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›