CVE-2024-28120

Name of the Vulnerable Software and Affected Versions codeium-chrome (affected versions not specified)

Description The issue is related to the lack of protection for service data in the codeium-chrome plugin. An attacker can exploit this to send arbitrary requests to the internal autocomplete server on behalf of another user. The service worker of the codeium-chrome extension does not check the sender when receiving an external message, allowing an attacker to steal the user's Codeium API key and impersonate the user on the backend autocomplete server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider monitoring the usage of your API key to minimize the risk of exploitation. Restrict access to the Codeium API key to prevent unauthorized use until the issue is resolved.