Update dependency firebase to v10 [SECURITY] by renovate[bot] · Pull Request #328 · devsoc-unsw/unilectives

renovate · 2024-11-18T22:54:43Z

This PR contains the following updates:

Package	Change	Age	Confidence
firebase (source, changelog)	`^9.10.0` → `^10.0.0`

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

CVE-2024-11023 / GHSA-3wf4-68gx-mph8

More information

Details

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Severity

CVSS Score: 5.2 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

firebase/firebase-js-sdk (firebase)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-04-27T18:58:20Z

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

renovate Bot added the dependencies Pull requests that update a dependency file label Nov 18, 2024

alecliu1204 force-pushed the develop branch from c796e3c to b63430b Compare June 18, 2025 00:59

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 1d2a904 to ca1db77 Compare June 18, 2025 01:01

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from ca1db77 to 5658603 Compare August 10, 2025 14:58

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 5658603 to 14c2e96 Compare August 19, 2025 14:03

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 14c2e96 to 6ece675 Compare December 3, 2025 14:39

lhvy force-pushed the develop branch from 4c656ed to 0266fa9 Compare March 20, 2026 01:02

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch 2 times, most recently from 474249d to 1e42e6c Compare March 20, 2026 01:21

renovate Bot changed the title ~~fix(deps): update dependency firebase to v10 [security]~~ fix(deps): update dependency firebase to v10 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-firebase-vulnerability branch March 27, 2026 01:26

renovate Bot changed the title ~~fix(deps): update dependency firebase to v10 [security] - autoclosed~~ fix(deps): update dependency firebase to v10 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch 2 times, most recently from 1e42e6c to 5ed0aac Compare March 30, 2026 21:13

renovate Bot changed the title ~~fix(deps): update dependency firebase to v10 [security]~~ Update dependency firebase to v10 [SECURITY] Apr 8, 2026

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 5ed0aac to 6f5c633 Compare April 8, 2026 14:58

renovate Bot changed the title ~~Update dependency firebase to v10 [SECURITY]~~ Update dependency firebase to v10 [SECURITY] - abandoned Apr 27, 2026

renovate Bot changed the title ~~Update dependency firebase to v10 [SECURITY] - abandoned~~ Update dependency firebase to v10 [SECURITY] Apr 27, 2026

Update dependency firebase to v10 [SECURITY]

7e52e4c

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 6f5c633 to 7e52e4c Compare April 29, 2026 11:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency firebase to v10 [SECURITY]#328

Update dependency firebase to v10 [SECURITY]#328
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-firebase-vulnerability

renovate Bot commented Nov 18, 2024 •

edited

Loading

Uh oh!

renovate Bot commented Apr 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Nov 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Details

Severity

References

Release Notes

Configuration

Uh oh!

renovate Bot commented Apr 27, 2026

Autoclosing Skipped

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Nov 18, 2024 •

edited

Loading