GHSA-3vr4-cvmg-7fx4

Source

https://github.com/advisories/GHSA-3vr4-cvmg-7fx4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3vr4-cvmg-7fx4/GHSA-3vr4-cvmg-7fx4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3vr4-cvmg-7fx4

Aliases

CVE-2026-6874

Published

2026-04-23T00:31:20Z

Modified

2026-05-05T16:00:28.194025Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action

Details

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Database specific

{
    "cwe_ids": [
        "CWE-350"
    ],
    "github_reviewed_at": "2026-04-30T20:53:46Z",
    "github_reviewed": true,
    "severity": "LOW",
    "nvd_published_at": "2026-04-23T00:16:47Z"
}

References

Affected packages

npm / copilot-api

Package

Name: copilot-api; View open source insights on deps.dev
Purl: pkg:npm/copilot-api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.7.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3vr4-cvmg-7fx4/GHSA-3vr4-cvmg-7fx4.json"