CVE-2023-26108
Information Exposure vulnerability in core (npm)
What is CVE-2023-26108 About?
This vulnerability in @nestjs/core versions before 9.0.5 leads to Information Exposure via the StreamableFile pipe. It allows streams wrapped by StreamableFile to remain open indefinitely if a client cancels a request while streaming, potentially exposing sensitive data. Exploitation occurs when a client prematurely disconnects from a streaming response.
Affected Software
Technical Details
The vulnerability in @nestjs/core arises from an improper handling of client-side request cancellations when streaming a StreamableFile. If a client initiates a request for a StreamableFile and then cancels or disconnects before the stream is fully transmitted, the underlying stream wrapped by StreamableFile is not properly closed or disposed of. This leaves the stream active and potentially accessible or in an undefined state on the server side, leading to information exposure if subsequent operations or garbage collection mechanisms do not clear the open resource, or if the resource held by the stream exposes internal system details.
What is the Impact of CVE-2023-26108?
Successful exploitation may allow attackers to expose sensitive information or system details, potentially leading to unauthorized access, resource exhaustion, or further attacks.
What is the Exploitability of CVE-2023-26108?
Exploitation of this information exposure vulnerability occurs when a client cancels a request while a StreamableFile is being streamed. This means an attacker needs to initiate a streaming request and then intentionally terminate the connection prematurely to trigger the improper stream handling. Complexity is low, as it generally only requires simple network disconnection manipulation. No authentication or special privileges are required, as it relies on client-side behavior during a legitimate data stream. It is a remote exploitation vector. The primary risk factor is an application that uses StreamableFile to deliver potentially sensitive information and allows clients to disconnect at will.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26108?
Available Upgrade Options
- @nestjs/core
- <9.0.5 → Upgrade to 9.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127
- https://github.com/nestjs/nest/pull/9819/commits/f59cf5e81ca73bcdf1b5b36713550fd93918db41
- https://github.com/nestjs/nest/pull/9819
- https://github.com/nestjs/nest
- https://github.com/nestjs/nest/issues/9759
- https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127
- https://github.com/nestjs/nest/pull/9819/commits/f59cf5e81ca73bcdf1b5b36713550fd93918db41
- https://nvd.nist.gov/vuln/detail/CVE-2023-26108
- https://github.com/nestjs/nest/issues/9759
- https://github.com/nestjs/nest/pull/9819
What are Similar Vulnerabilities to CVE-2023-26108?
Similar Vulnerabilities: CVE-2023-29496 , CVE-2022-41713 , CVE-2022-42969 , CVE-2022-37706 , CVE-2022-32149
