CVE-2022-39382: 
JavaScript vulnerability analysis and mitigation

Keystone, a headless CMS for Node.js built with GraphQL and React, was found to have a critical vulnerability in versions 3.0.0 and 3.0.1 of the @keystone-6/core package. The vulnerability was discovered and disclosed on November 3, 2022, where NODE_ENV would default to 'development' in production builds due to an esbuild configuration issue (GitHub Advisory).

The vulnerability occurs when esbuild defaults NODE_ENV to 'development' when a platform configuration is undefined. This results in user TypeScript code being compiled with NODE_ENV inlined to the constant 'development'. The vulnerability received a CVSS v3.1 score of 9.8 (Critical), with attack vectors including network access, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The impact affects users of @keystone-6/core versions 3.0.0 and 3.0.1 who use NODE_ENV in their own code to trigger security-sensitive functionality in production builds. Code conditionally executed based on NODE_ENV would run unintentionally in production builds. However, dependencies using NODE_ENV to trigger particular behaviors should still respect the environment's configured NODE_ENV variable and remain unaffected (GitHub Advisory).

The vulnerability has been patched in @keystone-6/core version 3.0.2. For users unable to upgrade, the recommended workaround is to remove any code that uses NODE_ENV in ways that may impact application security. The fix was implemented through a pull request (#8031) with regression tests added in pull request #8063 (GitHub Advisory).