CVE-2022-46155 - Exposed API Keys in Airtable.js Builds – How It Happened and How to Fix It

In late 2022, a security vulnerability was discovered in the popular Airtable.js JavaScript client for Airtable’s API. Tracked as CVE-2022-46155, this security bug could accidentally leak private API keys into distributed code, exposing your Airtable data to the world. In this post, we’ll break down what went wrong, show you the code behind the leak, how to check if you’re affected, and—most importantly—how to stay secure.

What is CVE-2022-46155?

CVE-2022-46155 is a security issue present in Airtable.js before version .11.6. Here’s the heart of the problem:

Airtable.js’s build script (included in the project source) had a misconfiguration.

- If you cloned the Airtable.js GitHub repo and ran its build (for local customization or development), your own environment variables—including sensitive API keys—could get hard-coded into the final JavaScript bundle.

If you then published or shared this built file, your secret API keys traveled with it.

This risk was not present if you installed Airtable.js via npm or yarn’s prebuilt package. It only affected those who built the package from source.

How Could your API Key Get Leaked?

The issue comes down to how JavaScript code can include environment variables during build-time using process.env.*. In web app bundlers (like Browserify), those environment values are replaced as constants in the distributed code.

Airtable.js code referenced some keys directly, for example

// Inside Airtable.js source
const defaultApiKey = process.env.AIRTABLE_API_KEY || '';
const apiUrl = process.env.AIRTABLE_ENDPOINT_URL || 'https://api.airtable.com/v/';;

When you run the build script (npm run prepare), these lines become

// In the generated bundle if process.env.AIRTABLE_API_KEY = 'skSecretKey123'
const defaultApiKey = 'skSecretKey123';
const apiUrl = 'https://api.airtable.com/v/';;

That means private data (API_KEY) can be baked right into your build, visible to anyone with the code!

You’re only at risk if

1. You cloned the Airtable.js repo to your local machine.

Your shell or terminal had AIRTABLE_API_KEY set at build time.

If you only used npm install airtable (or yarn add airtable), you’re safe. The published build on npm does not bundle your machine’s environment variables.

1. Set your API key (bad example!)

export AIRTABLE_API_KEY="skTestSecret123"

2. Build Airtable.js from source

git clone https://github.com/Airtable/airtable.js.git
cd airtable.js
npm install
npm run prepare    # This runs the build script

Now, search the built JavaScript (often dist/airtable.browser.js, etc)

grep "skTestSecret123" dist/airtable.browser.js

You’ll find it! That’s your secret laminated right in the distributed JS code.

Here’s a code snippet showing how an attacker or developer could steal your key

// Malicious snippet to search for API keys in a JS bundle
const fs = require('fs');
const bundle = fs.readFileSync('dist/airtable.browser.js', 'utf8');
const regex = /sk\w{15,}/g;  // Airtable API keys start with 'sk'
const foundKeys = bundle.match(regex);

if (foundKeys) {
    console.log("Potential leaked API keys:", foundKeys);
} else {
    console.log("No keys found.");
}

If you shared or published this bundle, anyone with the file could extract your API key and control your Airtable workspace.

This release stops embedding env variables in the bundle.

- See Release Notes.

`

- Remove exported keys from ~/.bashrc, ~/.zshrc, etc.

Rotate Leaked API Keys.

- Log in to Airtable account settings and rotate/regenerate exposed keys.

Summary Table

| Step | Safe | Unsafe |
|--------------------------|---------------------|--------------------|
| Install via npm/yarn | ✅ | |
| Build from GitHub source | (if no .env set) | (if AIRTABLE_API_KEY set) |
| Share built JS | (no secrets baked) | (API key baked in) |
| Use >= .11.6 | ✅ | |

References

- GitHub Security Advisory for Airtable.js
- CVE-2022-46155 at NVD
- Airtable.js Source Code
- Airtable API Docs

Final Thoughts

CVE-2022-46155 is a “supply chain” risk that can slip unnoticed into custom-built JavaScript dependencies. Always check what your build scripts do with environment variables, use trusted prebuilt packages when possible, and never insert secrets into your codebase.

If you ever customized Airtable.js or built it from source, audit your code bundles today.

For more on staying secure with JavaScript and APIs, follow official Airtable.js updates, use a secrets scanner in your pipelines, and keep your API keys private!

Timeline

Published on: 11/29/2022 23:15:00 UTC
Last modified on: 07/07/2023 19:04:00 UTC