Vulnerability report

[luigigubello]

Hi 👋 I need to report a potential vulnerability in PlatformIO Core, but you don't have a security policy. How should I proceed?

[ivankravets]

Hi Luigi, please email us directly via [email protected] or provide a PR. We will release the new version ASAP if the issue is critical. Thanks!

[luigigubello]

Hi @ivankravets 👋 Unfortunately, I don't have enough knowledge on this project and the codebase seems too big to propose a good PR, but I am writing to [email protected] to provide all info to reproduce the bug. Thank you!

[luigigubello]

Hi @ivankravets
I have tried to send the e-mail, but I have received this message:

554 5.7.1 <[[email protected]](mailto:[email protected])>: Relay access denied

May you share another e-mail address or fix the server?

Thank you

EDIT: Ah, the domain is not piolab.com but piolabs.com

[ivankravets]

Thanks for the report. Please re-test with pio upgrade --dev.

P.S.: Yes, it should piolabs.com. Sorry for the typo :(

[luigigubello]

I can confirm that I cannot reproduce the issue using the same payload and proof-of-concept 👌 I have not tried to find regex bypass and I am still investigating PlatformIO 6.1.6 to check if there are other entry-points (or just other vulnerabilities :)). Will Platformio report the vulnerability in the GitHub Security Advisories?