CVE-2026-42047

EPSS 0.38%
Veröffentlicht 07.05.2026 20:38:36
Zuletzt bearbeitet 13.05.2026 14:06:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inngest ≫ Inngest SwPlatformnode.js Version >= 3.22.0 < 3.54.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.298

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx

Vendor Advisory

Mitigation

https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1

Patch

Product

https://nvd.nist.gov/vuln/detail/CVE-2026-42047

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42047

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42047

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42047