From 120778e8727dcdb591051705abe398972a53c1c3 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 17:16:28 +0000 Subject: [PATCH] docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk --- SECURITY.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 917f13c..f9e4c61 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,3 +22,28 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us ## Reporting a Vulnerability Please report security vulnerabilities by opening a private issue or emailing the maintainers directly. + +## Known Low-Severity Vulnerabilities + +### GHSA-848j-6mx2-7j84 (elliptic) + +**Severity:** High (but not exploitable in this plugin's context) + +**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`) + +**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires: +- Use of `elliptic` curve operations on untrusted input, AND +- Ability for an attacker to influence the `elliptic` curve key generation input + +Neither condition is met in this plugin's runtime context. + +**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint. + +**Risk acceptance rationale:** +1. Plugin has no write operations against the cluster +2. All data flows through Headlamp's API proxy with standard RBAC enforcement +3. The vulnerable dependency is only in the development/build toolchain, not runtime +4. No untrusted input can reach `elliptic` curve operations through this plugin + +**Review date:** 2026-05-05 +**Reviewed by:** Hugh Hackman (VP Engineering Operations)