An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcyNGMtNnZyZi05OXJx

Sensitive Data Exposure in loopback

Versions of loopback prior to 3.26.0 (3.x) and 2.42.0 (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft.


If you're using loopback 3.x upgrade to version 3.26.0 or later. If you're using loopback 2.x upgrade to version 2.42.0 or later.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 3 years ago
Updated: 11 months ago

Identifiers: GHSA-724c-6vrf-99rq

Affected Packages

Versions: >= 3.0.0, <= 3.25.0, <= 2.41.0
Fixed in: 3.26.0, 2.42.0