CVE-2023-25164: 
JavaScript vulnerability analysis and mitigation

CVE-2023-25164 is a high-severity vulnerability affecting TinaCMS versions 1.0.0 through 1.0.9. The vulnerability was discovered and disclosed in February 2023, affecting sites building with @tinacms/cli that store sensitive values in process.env variables. This security issue involves the exposure of sensitive environment variables through script files (GitHub Advisory).

The vulnerability has a CVSS v3.1 base score of 8.6 (High), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Changed scope, and High confidentiality impact. The vulnerability is classified as CWE-200, exposing sensitive information to unauthorized actors through script files (GitHub Advisory).

The vulnerability could lead to the exposure of sensitive credentials stored as environment variables. This includes potentially sensitive information such as API keys (e.g., Algolia API keys) and other credentials that were stored in the environment variables. Sites using TinaCMS versions 1.0.0 through 1.0.9 were affected, though versions prior to 1.0.0 were not impacted (GitHub Advisory).

The vulnerability was patched in @tinacms/cli version 1.0.9. Users are advised to upgrade to this version immediately. Additionally, any sensitive credentials that were potentially exposed should be rotated. For ongoing security, environment variables used in field customization should be prefixed with TINAPUBLIC or NEXTPUBLIC (GitHub PR).