CVE-2020-7650
Description
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arbitrary file read in snyk-broker versions 4.72.0 to 4.73.0 allows reading yaml, yml, or json files, risking exposure of sensitive data.
Vulnerability
The snyk-broker package, used to proxy access between Snyk and Git repositories (e.g., GitHub, Bitbucket), is vulnerable to arbitrary file read in versions 4.72.0 through 4.73.0. The vulnerability specifically targets files with extensions .yaml, .yml, or .json, allowing unauthorized access to these files on Snyk's internal network. The root cause is insufficient access controls when the broker processes file requests from users with network-level access.
Exploitation
An attacker with access to Snyk's internal network can exploit this vulnerability by crafting requests that read arbitrary files with the specified extensions. No authentication beyond network access is required. The attack surface is limited to internal network users, but such access could be obtained through other means (e.g., compromised credentials or network intrusion).
Impact
Successful exploitation enables an attacker to read sensitive configuration files (e.g., YAML, JSON) that may contain credentials, API keys, or other secrets. This could lead to further compromise of Snyk services or connected resources, such as Git repositories and Jira deployments.
Mitigation
The vulnerability is fixed in snyk-broker version 4.73.1 and later. Users should upgrade immediately to protect their environments. No workarounds are available. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snyk-brokernpm | < 4.73.1 | 4.73.1 |
Affected products
2- snyk-broker/snyk-brokerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2fmp-7xwf-wvwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7650ghsaADVISORY
- snyk.io/vuln/SNYK-JS-SNYKBROKER-570609ghsax_refsource_MISCWEB
- updates.snyk.io/snyk-broker-security-fixes-152338ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.