CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qcr8-x557-7cp3: @asymmetric-effort/specifyjs: Production console warnings may leak internal framework state

medium
Finding Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71 Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console. Status Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details. Recommendation Gate all development-time console.warn and console.error calls behind process.env.NODE_ENV !== 'production' or a DEV constant that build tools can tree-shake.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qcr8-x557-7cp3

More from GitHub Security Advisories