CVE-2022-31051: 
JavaScript vulnerability analysis and mitigation

semantic-release is an open source npm package for automated version management and package publishing. In affected versions prior to 19.0.3, secrets that would normally be masked by semantic-release could be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI(). This vulnerability was discovered in June 2022 and assigned CVE-2022-31051 (GitHub Advisory).

The vulnerability occurs when secrets contain characters that are excluded from URI encoding by the encodeURI() function. The encodeURI() function does not encode certain characters that are part of URI syntax, including ;/?:@&=+$,# (MDN Docs). This behavior could lead to secrets being exposed in logs or other output when they contain these special characters. The vulnerability is rated as Moderate severity and is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

The impact of this vulnerability is limited to execution contexts where push access to the related repository is not available without modifying the repository URL to inject credentials. When exploitable, it could lead to the disclosure of sensitive information that should have been masked by the semantic-release package (GitHub Advisory).

The issue has been patched in version 19.0.3 of semantic-release. For users unable to upgrade, a workaround exists: ensure that secrets do not contain characters that are excluded from encoding with encodeURI when included in a URL. The fix involves using the original form of the repository URL to remove the need to mask credentials (GitHub Release).