snyk-broker is vulnerable to information disclosure. The vulnerability exists because it does not properly remove the information after a fragment identifier of the URL, allowing a user with access to Snyk’s internal network to read arbitrary file by appending the URL with a fragment identifier and a whitelisted path e.g. #package.json
.