How to fix CVE-2023-25164?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Is Tinacms affected by CVE-2023-25164?

Organizations using Tinacms face significant risk from CVE-2023-25164, a information exposure vulnerability rated CVSS 8.6. This could expose sensitive information including credentials, configuration data, or user records to unauthorized parties.

Tinacms CVE-2023-25164

HIGH

Information Exposure (CWE-200)

2023-02-08 [email protected]

GHSA-pc2q-jcxq-rjrr

Information Disclosure

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 20:30 vuln.today

Patch released

Mar 13, 2026 - 20:11 nvd

Patch available

CVE Published

Feb 08, 2023 - 20:15 nvd

HIGH 8.6

DescriptionNVD

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/[email protected]. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

Critical information disclosure vulnerability in TinaCMS CLI versions 1.0.0 through 1.0.8 that exposes environment variables (including sensitive credentials) by writing them in plaintext to the index.js file. Attackers can access exposed API keys, database credentials, or other secrets without authentication, though no active exploitation has been observed (EPSS: 0.37%, not in KEV). A patch is available in version 1.0.9.

Technical ContextAI

TinaCMS is a Git-backed headless CMS built for Node.js (CPE: cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*) that supports visual editing. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the build process incorrectly handles process.env variables during compilation. When using @tinacms/cli versions 1.0.0-1.0.8, the build system embeds all environment variables directly into the generated index.js file as plaintext strings, making them accessible to anyone who can view the built JavaScript files.

RemediationAI

Immediate actions required: 1) Upgrade to @tinacms/cli version 1.0.9 or later (patch PR: https://github.com/tinacms/tinacms/pull/3584). 2) Rotate ALL credentials that were stored as environment variables immediately, especially API keys for services like Algolia. 3) Audit deployed index.js files for exposed secrets. 4) Remove or redeploy affected builds after patching. No workarounds available - upgrading is the only solution. Check the vendor security advisory for full details.

CVE-2023-25164 vulnerability details – vuln.today

Back

Tinacms CVE-2023-25164

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code