<aside> ℹ️

The Inngest is using this temporary site to share information directly with customers ahead of the public announcement on our website. If you desire to verify any of the below information at all, please contact [email protected] or [email protected].

</aside>

We have discovered a security vulnerability affecting Inngest TypeScript SDK in V3 of our SDK, specifically v3.22.x through v3.53.1, impacting a subset of Inngest users. According to our logs, at some point in the past you have deployed an impacted version of the SDK.

If you are still running v3.x of the TS SDK, it is urgent that you take immediate action to protect yourself by upgrading to v3.54.0 or greater.

Remediations are below, and we’ll post details on the SDK changes on April 27th to give people time to update the SDKs before publishing more details.

You are currently vulnerable if all of the below apply:

• Are running Inngest TypeScript SDK between 3.22 and 3.53.1 (inclusive)
• Have configured your serve endpoint to handle PATCH, OPTIONS, or DELETE http methods.
  • For example, the following may be vulnerable (a non exhaustive list):
    • Next.js via the Pages router may forward PATCH, OPTIONS, DELETE requests to the SDK’s serve handler.
    • Express via app.use(inngest) by default routes PATCH and OPTIONS requests to the SDK’s serve handler.

If you do not allow PATCH, OPTIONS, DELETE requests to hit the SDK you are not impacted (note that the Inngest serve endpoint only requires GET, POST, PUT for all required functionality).

For example with Next.js’s app router via export const { GET, POST, PUT } you are not vulnerable, as the PATCH, OPTIONS, and DELETE requests are not passed through to the SDK handler.

Some examples for select frameworks:

• Next.js pages router
• Next.js app router
• Express.js
• Cloudflare Workers

Applications using the connect worker method ae unaffected.

Impact

The vulnerability exposes environment variables from the process.env object when sending PATCH, OPTIONS, or DELETE requests to the serve handler endpoint. Through this, an attacker may send a request to extract sensitive environment variables, including any keys or secrets set.

How

The serve() endpoint handles GET, POST, and PUT methods, otherwise a generic handler returns diagnostic information. v3.22 introduced a change that added environment variables to this diagnostic information. The code change modified an internal variable holding a reference to other environment variables, causing the vulnerability.

At this time, there have been no reports that this vulnerability has been exploited for any of our customers.