Inngest TypeScript SDK Environment Variable Exfiltration Vulnerability

A vulnerability exists in the Inngest TypeScript SDK in versions 3.22.0 prior to 3.54.0. It allows unauthenticated remote attackers to exfiltrate environment variables from the host process through the serve() HTTP handler. This issue arises because the serve() handler, which supports GET, POST, and PUT methods, inadvertently exposes the contents of process.env in response to PATCH, OPTIONS, or DELETE requests. This exposure can include sensitive information such as secrets, API keys, or credentials. The vulnerability is present when the serve() endpoint is accessible via the aforementioned HTTP methods, a common scenario in applications using Next.js Pages Router or certain Express configurations.

Impact

Exploitation of this vulnerability allows for the unauthorized exposure of environment variables, including sensitive information such as secrets, API keys, and credentials, from the host process via the serve() HTTP handler.

Remediation

Users should upgrade to Inngest version 3.54.0 or later. After upgrading, it is recommended to rotate any secrets that were present in environment variables within affected environments, including Inngest signing keys and event keys. Additionally, users should check logs for any requests to serve endpoints using PATCH, OPTIONS, or DELETE methods to assess if any environment variables may have been exposed. For those on platforms with long-lived deployments, such as Vercel or Cloudflare Workers, be aware that older deployments may still be vulnerable and consider using Vercel's deployment protection features to mitigate impact.