While analyzing a repository that uses browser-sync@2.27.10, I discovered that the file server.key, located inside the package, contains a private key that corresponds to an actual, still-valid certificate for the domain gruponu3.com.
To verify this, go to:
/packages/certs/browser-sync/server.key
Although this file might have been intended for local testing, the included private key matches a real certificate. Here's the certificate:
👉 https://crt.sh/?id=14787125511
You can confirm the match using:
openssl rsa -in server.key -noout -modulus | openssl md5
openssl x509 -in 14787125511.crt -noout -modulus | openssl md5
The MD5 hash of the modulus for both will be:
MD5(stdin)= d5c15082407cbef1518001f54bb93096
Even though the certificate has been marked as revoked (keyCompromise) by the CA, many major browsers and systems (Google, Mozilla, Microsoft) still accept it in practice.
In a previous security test, I was able to set up a working TLS server using the exposed key and certificate. A client (e.g., using curl) could establish a secure HTTPS connection successfully.
⚠️ This implies that anyone using this package could be unintentionally distributing a real private key, posing a serious security risk if reused or deployed in unintended environments.
I highly recommend that the file be removed or replaced with a dummy key that does not match any real-world certificate.
While analyzing a repository that uses browser-sync@2.27.10, I discovered that the file server.key, located inside the package, contains a private key that corresponds to an actual, still-valid certificate for the domain gruponu3.com.
To verify this, go to:
/packages/certs/browser-sync/server.key
Although this file might have been intended for local testing, the included private key matches a real certificate. Here's the certificate:
👉 https://crt.sh/?id=14787125511
You can confirm the match using:
The MD5 hash of the modulus for both will be:
MD5(stdin)= d5c15082407cbef1518001f54bb93096
Even though the certificate has been marked as revoked (keyCompromise) by the CA, many major browsers and systems (Google, Mozilla, Microsoft) still accept it in practice.
In a previous security test, I was able to set up a working TLS server using the exposed key and certificate. A client (e.g., using curl) could establish a secure HTTPS connection successfully.
I highly recommend that the file be removed or replaced with a dummy key that does not match any real-world certificate.