CVE-2023-6460: 
JavaScript vulnerability analysis and mitigation

A potential logging vulnerability exists in nodejs-firestore where the firestore key could be exposed via logging. The vulnerability was discovered and assigned CVE-2023-6460, affecting the Google Cloud Firestore Node.js client library. The issue occurs when developers log objects through this._settings, which would inadvertently expose the firestore key to anyone with logs read access (NVD Results).

The vulnerability stems from improper handling of sensitive credentials in the logging functionality. When developers log Firestore objects like WriteBatch, Transaction, or document references using JSON.stringify, the entire settings object including the private authentication key gets exposed through this._settings property (GitHub PR). The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) (NVD Results).

The vulnerability could lead to the exposure of sensitive Firestore credentials to anyone with access to application logs. This could potentially allow unauthorized access to the Firestore database if the exposed credentials are compromised (GitHub PR).

The recommended mitigation is to upgrade to version 6.1.0 or later of the nodejs-firestore library, which implements proper credential redaction in the logging functionality (NVD Results).