CVE-2022-46155: 
Homebrew vulnerability analysis and mitigation

CVE-2022-46155 is a security vulnerability discovered in Airtable.js that was disclosed on November 29, 2022. The vulnerability stemmed from a misconfigured build script in the source package that would bundle environment variables, specifically the AIRTABLEAPIKEY and AIRTABLEENDPOINTURL, into the build target of a transpiled bundle during Browserify builds (GitHub Advisory).

The vulnerability occurs when the build script is executed, potentially exposing sensitive environment variables in the transpiled bundle. The issue has been assigned a CVSS v3.1 score of 7.7 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-522, indicating insufficient protection of credentials (GitHub Advisory).

The vulnerability could expose Airtable API keys set in users' environments via the AIRTABLEAPIKEY environment variable if three conditions are met: 1) the user has cloned the Airtable.js source, 2) the user runs the npm prepare script, and 3) the user has the AIRTABLEAPIKEY environment variable set. If these conditions are met, the API key could be accidentally shipped in bundled code (GitHub Advisory).

Users are advised to either upgrade to Airtable.js version 0.11.6 or higher, or unset the AIRTABLEAPIKEY environment variable in their shell and remove it from shell configuration files. Additionally, it is recommended to regenerate any Airtable API keys that may have been exposed in bundled code (GitHub Advisory).