{"url":"http://public2.vulnerablecode.io/api/packages/1070599?format=json","purl":"pkg:npm/inngest@3.29.4-pr-802.0","type":"npm","namespace":"","name":"inngest","version":"3.29.4-pr-802.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.54.0","latest_non_vulnerable_version":"3.54.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92143?format=json","vulnerability_id":"VCID-vz52-k7dh-27g4","summary":"Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods\n# Summary\n\nA vulnerability in the Inngest TypeScript SDK versions `3.22.0` through `3.53.1` allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the `serve()` HTTP handler.\n\nThe `serve()` handler implements `GET`, `POST`, and `PUT` methods. Requests using `PATCH`, `OPTIONS`, or `DELETE` fall through to a generic handler that returns diagnostic information. A change introduced in `v3.22.0` caused this diagnostic response to include the contents of `process.env`, exposing any secrets, API keys, or credentials present in the environment.\n\n# Who is affected\n\nAn application is vulnerable if **all** of the following are true:\n\n- It uses `inngest` SDK version `>= 3.22.0, <= 3.53.1` (inclusive)\n- Its `serve()` endpoint is reachable via `PATCH`, `OPTIONS`, or `DELETE` requests.\n\nPlease check your framework's implementation for the serve handler ([documentation](https://www.inngest.com/docs/learn/serving-inngest-functions)) to asses whether it handles these HTTP methods. Common vulnerable configurations include:\n\n- Next.js Pages Router, which forwards all HTTP methods to the handler.\n- Express via `app.use('/api/inngest', serve(...))`, which routes `PATCH` and `OPTIONS` to the handler by default.\n\nThe following are **not** affected:\n\n- Next.js App Router handlers that explicitly export only `GET`, `POST`, and `PUT`.\n- Applications using the `connect` worker method.\n- SDK versions `< 3.22.0` and `>= 3.54.0`, including all `4.x` releases.\n\nThe vulnerability was responsibly disclosed by an Inngest user. At this time, there are no known reports of exploitation.\n\n# Remediation\n\n1. Upgrade to `inngest@3.54.0` or later. The fix is backwards compatible with the `3.x` release line. The `4.x` line is also unaffected.\n2. Rotate any secrets that were presence in environment variables (`process.env`) within affected environments including Inngest signing keys and event keys\n3. Search logs for any requests to your `serve` endpoints using the `PATCH`, `OPTIONS`, `DELETE` http methods to assess if any environment variables may have been exposed.\n\n## Additional recommendations\n\nUsers on platforms with long-lived deployments (e.g. Vercel, Cloudflare Workers) should be aware that prior deployments remain reachable at their immutable URLs and may continue to expose the vulnerability even after a new deployment is promoted. For example, Vercel offers security features such as \"[Deployment Protection](https://vercel.com/docs/deployment-protection#standard-protection)\" and [the ability to delete older deployments](https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment) which can help immediately mitigate impact.\n\nFor additional security, users can also adjust firewall or proxy rules to only allow requests to their `serve` endpoint from Inngest IP addresses available here: http://inngest.com/ips-v4, http://inngest.com/ips-v6\n\n### Workarounds\n\nIf upgrading is not immediately possible, restrict the `serve()` endpoint at the framework or reverse-proxy layer to accept only `GET`, `POST`, and `PUT`. The Inngest `serve()` endpoint does not require any other HTTP methods.\n\n### Resources\n\n- Rotating Inngest keys: https://www.inngest.com/docs/platform/manage/rotating-keys\n- Inngest signing keys: https://www.inngest.com/docs/platform/signing-keys\n- Inngest event keys: https://www.inngest.com/docs/events/creating-an-event-key\n- Inngest security best practices: https://www.inngest.com/docs/learn/security\n\n### Credits\n\n- Ben Hylak - an independent security researcher, discovered and responsibly disclosed the vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42047","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15414","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15464","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15454","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16758","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.1674","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42047"},{"reference_url":"https://github.com/inngest/inngest-js","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/inngest/inngest-js"},{"reference_url":"https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T13:52:40Z/"}],"url":"https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1"},{"reference_url":"https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T13:52:40Z/"}],"url":"https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42047","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42047"},{"reference_url":"https://vercel.com/docs/deployment-protection#standard-protection","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://vercel.com/docs/deployment-protection#standard-protection"},{"reference_url":"https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment"},{"reference_url":"https://www.inngest.com/docs/events/creating-an-event-key","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.inngest.com/docs/events/creating-an-event-key"},{"reference_url":"https://www.inngest.com/docs/learn/security","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.inngest.com/docs/learn/security"},{"reference_url":"https://www.inngest.com/docs/learn/serving-inngest-functions","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.inngest.com/docs/learn/serving-inngest-functions"},{"reference_url":"https://www.inngest.com/docs/platform/manage/rotating-keys","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.inngest.com/docs/platform/manage/rotating-keys"},{"reference_url":"https://www.inngest.com/docs/platform/signing-keys","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.inngest.com/docs/platform/signing-keys"},{"reference_url":"https://github.com/advisories/GHSA-2jf5-6wwv-vhxx","reference_id":"GHSA-2jf5-6wwv-vhxx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2jf5-6wwv-vhxx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114734?format=json","purl":"pkg:npm/inngest@3.54.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/inngest@3.54.0"}],"aliases":["CVE-2026-42047","GHSA-2jf5-6wwv-vhxx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vz52-k7dh-27g4"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/inngest@3.29.4-pr-802.0"}