Description
cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.
Remediation
References
https://github.com/simonsmith/cypress-image-snapshot/commit/ef49519795daf5183f4fac6f3136e194f20f39f4
https://github.com/simonsmith/cypress-image-snapshot/issues/15
https://github.com/simonsmith/cypress-image-snapshot/releases/tag/8.0.2
https://github.com/simonsmith/cypress-image-snapshot/security/advisories/GHSA-vxjg-hchx-cc4g
Related Vulnerabilities
CVE-2022-41965 Vulnerability in maven package org.opencastproject:opencast-engage-paella-player
CVE-2019-14439 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2021-29624 Vulnerability in npm package fastify-csrf
CVE-2021-3629 Vulnerability in maven package io.undertow:undertow-core
CVE-2018-8013 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom