fix(deps): update dependency firebase to v10 [security] by renovate[bot] · Pull Request #1367 · crh225/angular-github-issues

renovate · 2024-11-19T01:33:37Z

This PR contains the following updates:

Package	Change	Age	Confidence
firebase (source, changelog)	`8.0.1` → `10.9.0`

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

CVE-2024-11023 / GHSA-3wf4-68gx-mph8

More information

Details

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Severity

CVSS Score: 5.2 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

firebase/firebase-js-sdk (firebase)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 2a9369d to c179936 Compare August 10, 2025 12:53

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from c179936 to ca957e7 Compare August 19, 2025 14:13

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from ca957e7 to a309aea Compare September 25, 2025 15:29

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from a309aea to 42da361 Compare October 23, 2025 19:30

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 42da361 to da0f7d1 Compare November 10, 2025 21:04

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from da0f7d1 to 1006a22 Compare November 18, 2025 15:15

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 1006a22 to 076cceb Compare December 31, 2025 17:49

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 076cceb to 90e8528 Compare January 19, 2026 15:39

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 90e8528 to e45a702 Compare February 2, 2026 17:02

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from e45a702 to a35770e Compare February 12, 2026 11:57

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from a35770e to 837c8e9 Compare March 5, 2026 19:15

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 837c8e9 to 5ed4517 Compare March 13, 2026 11:19

renovate Bot changed the title ~~fix(deps): update dependency firebase to v10 [security]~~ fix(deps): update dependency firebase to v10 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-firebase-vulnerability branch March 27, 2026 00:55

renovate Bot changed the title ~~fix(deps): update dependency firebase to v10 [security] - autoclosed~~ fix(deps): update dependency firebase to v10 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch 2 times, most recently from 5ed4517 to 469f665 Compare March 30, 2026 18:09

fix(deps): update dependency firebase to v10 [security]

907a6ad

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 469f665 to 907a6ad Compare April 8, 2026 19:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency firebase to v10 [security]#1367

fix(deps): update dependency firebase to v10 [security]#1367
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-firebase-vulnerability

renovate Bot commented Nov 19, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Nov 19, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Details

Severity

References

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Nov 19, 2024 •

edited

Loading