{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-25T06:53:18.137","vulnerabilities":[{"cve":{"id":"CVE-2022-39382","sourceIdentifier":"security-advisories@github.com","published":"2022-11-03T14:15:23.767","lastModified":"2026-06-17T04:58:15.293","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `\"development\"` for user code, irrespective of what your environment variables. If you do not use `NODE_ENV` in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use `NODE_ENV` to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured `NODE_ENV` variable. The application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063."},{"lang":"es","value":"Keystone es un CMS headless para Node.js construido con GraphQL y React.`@keystone-6/core@3.0.0 || 3.0.1` los usuarios que usan `NODE_ENV` para activar funciones sensibles a la seguridad en sus compilaciones de producción son vulnerables a que `NODE_ENV` se incluya en `\"desarrollo\"` para el código de usuario, independientemente de cuáles sean sus variables de entorno. Si no utiliza `NODE_ENV` en su código de usuario para activar funciones sensibles a la seguridad, esta vulnerabilidad no lo afecta. Cualquier dependencia que use `NODE_ENV` para desencadenar comportamientos particulares (optimizaciones, seguridad o de otro tipo) aún debe respetar la variable `NODE_ENV` configurada en su entorno. Las dependencias de la aplicación, como se encuentran en `node_modules` (incluido `@keystone-6/core`), normalmente no se compilan como parte de este proceso y, por lo tanto, no deberían verse afectadas. Hemos probado esta suposición verificando que `NODE_ENV = inicio clave del hilo de producción` todavía usa cookies seguras cuando se usan `statelessSessions`. Esta vulnerabilidad se solucionó en @keystone-6/core@3.0.2, se agregaron pruebas de regresión para esta vulnerabilidad en el número 8063."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"keystonejs","product":"keystone","versions":[{"version":">= 3.0.0, < 3.0.2","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-04-22T15:36:33.217408Z","id":"CVE-2022-39382","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:keystonejs:keystone:3.0.0:*:*:*:*:node.js:*:*","matchCriteriaId":"2A1639F4-A82C-44BD-906A-EBC32CAFA194"},{"vulnerable":true,"criteria":"cpe:2.3:a:keystonejs:keystone:3.0.1:*:*:*:*:node.js:*:*","matchCriteriaId":"509439A0-C352-4697-B8F7-190F583386FA"}]}]}],"references":[{"url":"https://github.com/keystonejs/keystone/pull/8031/","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/keystonejs/keystone/pull/8063","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/keystonejs/keystone/pull/8031/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/keystonejs/keystone/pull/8063","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}