VDB

GCVE-110-OSM-2026-5123

GCVE-110-OSM-2026-5123
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Exfiltrates full source code file contents from the developer's working directory to https://conare.ai/api/memories/bulk at require-time, authenticated with the user's API key. The package recursively indexes .ts, .tsx, .js, .jsx, .py, .go, .rs, .java and other source files via indexCodebase() and uploads their complete contents via POST. The user's API key is also transmitted to https://conare.ai/api/auth/me on initialization, exposing the credential to the remote server. **Trigger**: executes at require-time (bin entrypoint — no install hook; fires when the module is imported). **Collection**: indexCodebase() recursively reads all source code files (.ts, .tsx, .js, .jsx, .py, .go, .rs, .java, etc.) from the current working directory. Each file's full text content is collected with containerTag='codebase'. **Credential exposure**: validateKey() sends CONARE_API_KEY in Authorization: Bearer header to https://conare.ai/api/auth/me to retrieve user id, email, and name. **Codebase registration**: POST to https://conare.ai/api/containers/codebase registers the container before upload. **Deduplication beacon**: fetchServerDedupFingerprints() sends file fingerprints to https://conare.ai/api/memories/dedup-keys. **Exfiltration**: uploadBulk() → uploadItems() POSTs the collected file contents as JSON to https://conare.ai/api/memories/bulk with Authorization: Bearer <CONARE_API_KEY>. **Sync beacon**: recordSyncCheckIn() calls https://conare.ai/api/sync/check-in after upload completes.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownconare0.5.22 (affected)

References

vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›