CVE-2020-7651
Description
All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Snyk Broker before 4.79.0 allows authenticated users on Snyk's internal network to partially read arbitrary files through the GitHub Commits API patch history.
Vulnerability
Overview
CVE-2020-7651 affects all versions of snyk-broker prior to 4.79.0. The package proxies access between snyk.io and Git repositories like GitHub Enterprise. The vulnerability is an arbitrary file read that enables partial file disclosure for attackers who have network access to Snyk's internal infrastructure. The root cause involves how the broker handles patch history data from the GitHub Commits API, allowing unintended file content exposure [1][2].
Exploitation
Exploitation requires the attacker to already have access to Snyk's internal network, meaning it is not remotely exploitable from the public internet. The attacker leverages the broker's processing of commit patch diffs to retrieve contents of files that should not be readable. No user interaction is needed beyond the attacker's authenticated access to the internal network [2].
Impact
A successful attack can lead to partial reads of arbitrary files on the system. While the read is partial, it could expose sensitive information such as credentials, configuration details, or source code stored on the server. The vulnerability is scored with a CVSS v3.1 base score of 5.3 (Medium), reflecting the need for internal network access [1][2].
Mitigation
The fix is available in snyk-broker version 4.79.0 and later. Users should upgrade immediately. There is no mention of a workaround, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snyk-brokernpm | < 4.79.0 | 4.79.0 |
Affected products
2- snyk-broker/snyk-brokerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-45hw-29x7-9x95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7651ghsaADVISORY
- snyk.io/vuln/SNYK-JS-SNYKBROKER-570610ghsax_refsource_MISCWEB
- updates.snyk.io/snyk-broker-security-fixes-152338ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.