Description
cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.
Remediation
References
https://github.com/simonsmith/cypress-image-snapshot/releases/tag/8.0.2
https://github.com/simonsmith/cypress-image-snapshot/commit/ef49519795daf5183f4fac6f3136e194f20f39f4
https://github.com/simonsmith/cypress-image-snapshot/security/advisories/GHSA-vxjg-hchx-cc4g
https://github.com/simonsmith/cypress-image-snapshot/issues/15
Related Vulnerabilities
CVE-2023-37914 Vulnerability in maven package org.xwiki.platform:xwiki-platform-invitation-ui
CVE-2019-9154 Vulnerability in npm package openpgp
CVE-2018-19048 Vulnerability in npm package simditor
CVE-2021-27884 Vulnerability in npm package yapi-vendor
CVE-2021-43821 Vulnerability in maven package org.opencastproject:opencast-ingest-service-impl