CVE-2023-38695

Name of the Vulnerable Software and Affected Versions cypress-image-snapshot versions prior to 8.0.2

Description The issue allows a user to pass a relative file path for the snapshot name, potentially reaching outside of the project directory into the machine running the test. This can be achieved by using relative paths in the matchImageSnapshot function, such as ../../../ignore-relative-dirs, which can create files outside the intended directory.

Recommendations For versions prior to 8.0.2, update to version 8.0.2 to resolve the issue. As a temporary workaround, validate all existing uses of matchImageSnapshot to ensure correct use of the filename argument, and consider using the function without specifying a filename, allowing it to default to the test title, such as cy.matchImageSnapshot().