—

Why it Matters

Sometimes a vulnerable extension cannot be upgraded immediately — due to compatibility issues, vendor delays, or release freezes. In these cases, teams may apply temporary mitigations such as firewall rules, input filtering, or disabling a feature. If these mitigations are undocumented, they can be forgotten and bypassed later, leaving the store exposed.

Documenting temporary mitigations ensures everyone knows the risk is only partially reduced, tracks who applied the workaround, and records when it must be replaced by a proper fix.

Verification Steps

# Confirm open advisories with no upgrade available
# Verify there is a mitigation entry in security tracker:
# - Date applied
# - Mitigation method
# - Owner
# - Expiry/review date

# Firewall rule blocking vulnerable endpoint
# Temporary feature toggle disabling unsafe upload

Remediation / Fix Guidance

1. Create a central file or tracker (e.g., SECURITY_MITIGATIONS.md or Jira board) to record all temporary fixes.
2. Each entry must include:
   • Vulnerability ID (CVE or advisory link)
   • Mitigation applied (e.g., WAF rule, module disabled, config change)
   • Who applied it and when
   • Review/expiry date
3. Schedule regular reviews to confirm mitigations are either replaced with upgrades or remain enforced.
4. Communicate mitigations to all stakeholders so no one assumes the issue is fully fixed.

Examples

# CVE-2025-1234 in vendor/module
# Team added WAF rule but did not log it
# Months later, WAF reset → exposure returns → FAIL

# SECURITY_MITIGATIONS.md
- CVE-2025-1234
- Mitigation: Disabled file upload feature in module
- Applied by: Alice, 2025-09-10
- Expiry: Replace with upgrade by 2025-10-01

References

• OWASP Top 10 — A06: Vulnerable & Outdated Components
• OWASP — Temporary Workarounds