Passkit generator vulnerabilities issue

Question

Created Dec ’25

Replies 3

Boosts 0

Participants 4

We are getting vulnerabilities for passkit generator, used for apple wallet creation. Could you please suggest how to resolve this issue In our system we updated MIME with latest version but passkit is referring older version 1.4.1

npm audit report

mime <1.4.1

Severity: high

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp

No fix available

node_modules/mime

passkit *

Depends on vulnerable versions of mime

node_modules/passkit

2 high severity vulnerabilities

Some issues need review, and may require choosing

a different dependency.

Answered by DTS Engineer in 893566022

Hi @ashishvani,

You wrote:

We are getting vulnerabilities for passkit generator, used for apple wallet creation.

Both @dapeters and @AlexanderCerutti are correct, passkit-generator is a third-party library and is not provided, nor supported, by Apple.

However, if you'd like to use our new Pass Designer and Pass Builder tools to manage your Wallet pass creation, signing, and personalization, please see the following WWDC26 session:

WWDC26: Session 209 – What's New in Wallet

https://developer.apple.com/videos/play/wwdc2026/209/

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

Answer 1

dapeters OP

Dec ’25

Hi,

passkit-generator is an external, third-party library and has no affiliation with Apple. If you’d like complete control over Wallet passes, I suggest generating the pass JSON and signing the manifest directly in your own implementation.

Answer 2

AlexanderCerutti OP

Mar ’26

Hi, passkit-generator creator here. For things like that, it is likely better to write on Github. I found this thread "by mistake". I never heard of the CVE you are referring to, btw. The referred dependency is something you generally install with the examples, but I don't know what you are doing.

Answer 3

DTS Engineer OP

Apple

1d

Recommended