Description
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr
Scores
CVSS v3
7.5
EPSS
0.0019
EPSS Percentile
9.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
stripe/stripe-cli
1.11.1 - 1.21.3Go
stripe/stripe_cli
1.11.1 - 1.21.3
Published
Sep 05, 2024
Tracked Since
Feb 18, 2026