Information Exposure Vulnerability in @nestjs/core by NestJS
CVE-2023-26108

3.7LOW

Key Information:

Vendor: Nestjs
Status: @nestjs/core
Vendor: CVE Published:; 6 March 2023

What is CVE-2023-26108?

Versions of the @nestjs/core package prior to 9.0.5 are susceptible to an information exposure issue related to the StreamableFile pipe. This vulnerability arises when a client cancels a request during the streaming of a StreamableFile, which inadvertently keeps the stream open. This may result in sensitive information becoming accessible unintentionally, thereby posing a security risk to applications utilizing this package.

Affected Version(s)

@nestjs/core 0 < 9.0.5

References

https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127

https://github.com/nestjs/nest/issues/9759

https://github.com/nestjs/nest/pull/9819

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2023
Vulnerability Reserved
Feb 20, 2023

Credit

alexd6631

CVE-2023-26108 Data

JSON

Nestjs

What is CVE-2023-26108?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit