fix(deps): Update dependency firebase to v10 [SECURITY] by renovate[bot] · Pull Request #412 · stipsan/hyperfokus

renovate · 2024-11-18T21:44:00Z

This PR contains the following updates:

Package	Change	Age	Confidence
firebase (source, changelog)	`^7.24.0` → `^10.0.0`

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

CVE-2024-11023 / GHSA-3wf4-68gx-mph8

More information

Details

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Severity

CVSS Score: 5.2 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

firebase/firebase-js-sdk (firebase)

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

vercel · 2024-11-18T21:44:02Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperfokus	Error		Jun 13, 2026 8:00pm

socket-security · 2024-11-18T21:45:23Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	firebase@7.24.0 ⏵ 10.14.1	⁺¹	⁺²	⁺¹

View full report

socket-security · 2025-08-19T18:12:07Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

renovate Bot added ⚠️ major 📦 deps 🤖 bot labels Nov 18, 2024

vercel Bot had a problem deploying to Preview November 18, 2024 21:44 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 1c587a2 to 1456b9d Compare August 10, 2025 14:25

vercel Bot had a problem deploying to Preview August 10, 2025 14:27 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 1456b9d to 4e82dce Compare August 19, 2025 18:09

vercel Bot had a problem deploying to Preview August 19, 2025 18:10 Failure

renovate Bot changed the title ~~fix(deps): Update dependency firebase to v10 [SECURITY]~~ fix(deps): Update dependency firebase to v10 [SECURITY] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-firebase-vulnerability branch March 27, 2026 01:41

renovate Bot changed the title ~~fix(deps): Update dependency firebase to v10 [SECURITY] - autoclosed~~ fix(deps): Update dependency firebase to v10 [SECURITY] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch 2 times, most recently from 4e82dce to fa29cf5 Compare March 30, 2026 22:18

vercel Bot had a problem deploying to Preview March 30, 2026 22:20 Failure

renovate Bot changed the title ~~fix(deps): Update dependency firebase to v10 [SECURITY]~~ fix(deps): Update dependency firebase to v10 [SECURITY] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~fix(deps): Update dependency firebase to v10 [SECURITY] - autoclosed~~ fix(deps): Update dependency firebase to v10 [SECURITY] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch 2 times, most recently from fa29cf5 to 9a46e70 Compare April 27, 2026 19:30

vercel Bot had a problem deploying to Preview April 27, 2026 19:34 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 9a46e70 to cbafa56 Compare April 29, 2026 14:11

vercel Bot had a problem deploying to Preview April 29, 2026 14:12 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from cbafa56 to 79c4fcc Compare May 12, 2026 11:01

vercel Bot had a problem deploying to Preview May 12, 2026 11:01 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 79c4fcc to c0e6754 Compare May 18, 2026 10:59

vercel Bot had a problem deploying to Preview May 18, 2026 11:02 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from c0e6754 to 4da4e0e Compare May 28, 2026 13:54

vercel Bot had a problem deploying to Preview May 28, 2026 13:54 Failure

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 4da4e0e to 7d545fa Compare June 1, 2026 19:47

vercel Bot had a problem deploying to Preview June 1, 2026 19:47 Failure

fix(deps): Update dependency firebase to v10 [SECURITY]

610c106

renovate Bot force-pushed the renovate/npm-firebase-vulnerability branch from 7d545fa to 610c106 Compare June 13, 2026 20:00

vercel Bot had a problem deploying to Preview June 13, 2026 20:00 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): Update dependency firebase to v10 [SECURITY]#412

fix(deps): Update dependency firebase to v10 [SECURITY]#412
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-firebase-vulnerability

renovate Bot commented Nov 18, 2024 •

edited

Loading

Uh oh!

vercel Bot commented Nov 18, 2024 •

edited

Loading

Uh oh!

socket-security Bot commented Nov 18, 2024 •

edited

Loading

Uh oh!

socket-security Bot commented Aug 19, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Nov 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Details

Severity

References

Release Notes

Configuration

Uh oh!

vercel Bot commented Nov 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Nov 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Aug 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Nov 18, 2024 •

edited

Loading

vercel Bot commented Nov 18, 2024 •

edited

Loading

socket-security Bot commented Nov 18, 2024 •

edited

Loading

socket-security Bot commented Aug 19, 2025 •

edited

Loading