API key leak in codeium-chrome

codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

访问控制不恰当

codeium-chrome 安全漏洞

codeium-chrome是Chrome Web浏览器的开源代码完成插件。 Chrome plugin codeium-chrome v1.2.52版本存在安全漏洞，该漏洞源于Service Worker 在接收外部消息时不会检查发送者，允许攻击者托管一个网站，窃取用户的 Codeium api 密钥。

N/A

N/A