## Shopware Administration Library 'pretty' Exposes Critical 9.8 CVSS Vulnerability in Build Chain
A critical security flaw with a maximum severity score of 9.8 has been flagged within the build dependencies of the Shopware 6 administration interface. The vulnerability, CVE-2021-44906, resides in the transitive dependency `minimist-0.0.8.tgz`, which is pulled in by the library `pretty-2.0.0.tgz`. This library is used for HTML beautification within the Nuxt-based component library of the Shopware Administration. The finding is marked as 'reachable,' indicating the vulnerable code path is active within the application's build process, posing a direct risk to the integrity of the admin panel's development and deployment pipeline.

The vulnerable `pretty` library is located in the project at `/src/Administration/Resources/app/administration/build/nuxt-component-library/package.json`. Alongside the critical `minimist` flaw, a separate high-severity vulnerability (CVE-2020-7788, CVSS 7.3) in the `ini-1.3.5.tgz` package was also identified. Both vulnerabilities are in transitive dependencies, meaning they are not directly declared but are brought in by other libraries. Crucially, the scan indicates that no direct remediation—such as an available patched version—is currently offered for these specific package versions, leaving developers with the complex task of mitigating or replacing the upstream dependencies.

This exposure places the security of the Shopware administration build environment under immediate scrutiny. While the Exploit Prediction Scoring System (EPSS) suggests a low probability of broad exploitation, the 'reachable' status and critical severity create a pressing operational risk. Development and security teams must audit their dependency trees, as unpatched transitive vulnerabilities in build tools can serve as an entry point for supply chain attacks, potentially compromising the entire administration application before it is even deployed to production.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain, vulnerability, javascript, cve-2021-44906, dependency
- **Credibility**: unverified
- **Published**: 2026-04-18 15:22:35
- **ID**: 70661
- **URL**: https://whisperx.ai/en/intel/70661