A critical vulnerability in the TinaCMS CLI dev server allows remote attackers to perform filesystem operations on developer machines via a browser-based drive-by attack.

The vulnerability combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with a path traversal flaw. An unauthenticated remote attacker can trick a developer into visiting a malicious website, which then uses the developer's browser to execute commands against the locally running tinacms dev server.

With a CVSS score of 9.6, this vulnerability poses a severe threat to developer workstations. Attackers can enumerate the filesystem, steal sensitive source code, or delete critical project files. This could lead to a supply chain compromise if an attacker manages to inject malicious code into the project via the CLI.

Immediate Action: Update the TinaCMS CLI to version 2.1.8 or later immediately to resolve the CORS and path traversal issues.

Proactive Monitoring: Encourage developers to monitor for unexpected file changes in their project directories while the dev server is active.

Compensating Controls: Restrict the tinacms dev server to bind only to the local loopback interface (127.0.0.1) and avoid browsing untrusted websites while the dev server is running.

Public Exploit Available: No

Developers must update to version 2.1.8 immediately. Because this vulnerability targets the development environment, it is a significant risk to the integrity of the software development lifecycle. Immediate patching is the only effective mitigation.