Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1070674?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1070674?format=api", "purl": "pkg:npm/inngest@3.31.11-pr-851.0", "type": "npm", "namespace": "", "name": "inngest", "version": "3.31.11-pr-851.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.54.0", "latest_non_vulnerable_version": "3.54.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92143?format=api", "vulnerability_id": "VCID-vz52-k7dh-27g4", "summary": "Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods\n# Summary\n\nA vulnerability in the Inngest TypeScript SDK versions `3.22.0` through `3.53.1` allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the `serve()` HTTP handler.\n\nThe `serve()` handler implements `GET`, `POST`, and `PUT` methods. Requests using `PATCH`, `OPTIONS`, or `DELETE` fall through to a generic handler that returns diagnostic information. A change introduced in `v3.22.0` caused this diagnostic response to include the contents of `process.env`, exposing any secrets, API keys, or credentials present in the environment.\n\n# Who is affected\n\nAn application is vulnerable if **all** of the following are true:\n\n- It uses `inngest` SDK version `>= 3.22.0, <= 3.53.1` (inclusive)\n- Its `serve()` endpoint is reachable via `PATCH`, `OPTIONS`, or `DELETE` requests.\n\nPlease check your framework's implementation for the serve handler ([documentation](https://www.inngest.com/docs/learn/serving-inngest-functions)) to asses whether it handles these HTTP methods. Common vulnerable configurations include:\n\n- Next.js Pages Router, which forwards all HTTP methods to the handler.\n- Express via `app.use('/api/inngest', serve(...))`, which routes `PATCH` and `OPTIONS` to the handler by default.\n\nThe following are **not** affected:\n\n- Next.js App Router handlers that explicitly export only `GET`, `POST`, and `PUT`.\n- Applications using the `connect` worker method.\n- SDK versions `< 3.22.0` and `>= 3.54.0`, including all `4.x` releases.\n\nThe vulnerability was responsibly disclosed by an Inngest user. At this time, there are no known reports of exploitation.\n\n# Remediation\n\n1. Upgrade to `inngest@3.54.0` or later. The fix is backwards compatible with the `3.x` release line. The `4.x` line is also unaffected.\n2. Rotate any secrets that were presence in environment variables (`process.env`) within affected environments including Inngest signing keys and event keys\n3. Search logs for any requests to your `serve` endpoints using the `PATCH`, `OPTIONS`, `DELETE` http methods to assess if any environment variables may have been exposed.\n\n## Additional recommendations\n\nUsers on platforms with long-lived deployments (e.g. Vercel, Cloudflare Workers) should be aware that prior deployments remain reachable at their immutable URLs and may continue to expose the vulnerability even after a new deployment is promoted. For example, Vercel offers security features such as \"[Deployment Protection](https://vercel.com/docs/deployment-protection#standard-protection)\" and [the ability to delete older deployments](https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment) which can help immediately mitigate impact.\n\nFor additional security, users can also adjust firewall or proxy rules to only allow requests to their `serve` endpoint from Inngest IP addresses available here: http://inngest.com/ips-v4, http://inngest.com/ips-v6\n\n### Workarounds\n\nIf upgrading is not immediately possible, restrict the `serve()` endpoint at the framework or reverse-proxy layer to accept only `GET`, `POST`, and `PUT`. The Inngest `serve()` endpoint does not require any other HTTP methods.\n\n### Resources\n\n- Rotating Inngest keys: https://www.inngest.com/docs/platform/manage/rotating-keys\n- Inngest signing keys: https://www.inngest.com/docs/platform/signing-keys\n- Inngest event keys: https://www.inngest.com/docs/events/creating-an-event-key\n- Inngest security best practices: https://www.inngest.com/docs/learn/security\n\n### Credits\n\n- Ben Hylak - an independent security researcher, discovered and responsibly disclosed the vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42047", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15414", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15464", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15454", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16758", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.1674", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42047" }, { "reference_url": "https://github.com/inngest/inngest-js", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/inngest/inngest-js" }, { "reference_url": "https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T13:52:40Z/" } ], "url": "https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1" }, { "reference_url": "https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T13:52:40Z/" } ], "url": "https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42047", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42047" }, { "reference_url": "https://vercel.com/docs/deployment-protection#standard-protection", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vercel.com/docs/deployment-protection#standard-protection" }, { "reference_url": "https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vercel.com/kb/guide/how-do-i-delete-an-individual-deployment" }, { "reference_url": "https://www.inngest.com/docs/events/creating-an-event-key", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.inngest.com/docs/events/creating-an-event-key" }, { "reference_url": "https://www.inngest.com/docs/learn/security", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.inngest.com/docs/learn/security" }, { "reference_url": "https://www.inngest.com/docs/learn/serving-inngest-functions", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.inngest.com/docs/learn/serving-inngest-functions" }, { "reference_url": "https://www.inngest.com/docs/platform/manage/rotating-keys", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.inngest.com/docs/platform/manage/rotating-keys" }, { "reference_url": "https://www.inngest.com/docs/platform/signing-keys", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.inngest.com/docs/platform/signing-keys" }, { "reference_url": "https://github.com/advisories/GHSA-2jf5-6wwv-vhxx", "reference_id": "GHSA-2jf5-6wwv-vhxx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jf5-6wwv-vhxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114734?format=api", "purl": "pkg:npm/inngest@3.54.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/inngest@3.54.0" } ], "aliases": [ "CVE-2026-42047", "GHSA-2jf5-6wwv-vhxx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vz52-k7dh-27g4" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/inngest@3.31.11-pr-851.0" }