Inngest SDK Exposes Environment Variables via Unhandled HTTP Methods
Inngest TypeScript SDK versions 3.22.0 through 3.53.1 expose environment variables via the serve() handler on unhandled HTTP methods, allowing unauthenticated remote attackers to exfiltrate environment variables from the host process via `PATCH`, `OPTIONS`, or `DELETE` requests to the `serve()` HTTP handler.
A vulnerability exists in the Inngest TypeScript SDK versions 3.22.0 through 3.53.1. This flaw allows unauthenticated remote attackers to extract environment variables from the host process by sending PATCH, OPTIONS, or DELETE requests to the serve() HTTP handler. The vulnerability arises because these HTTP methods are not explicitly handled and fall through to a diagnostic handler that inadvertently exposes the contents of process.env. This exposure includes sensitive information such as secrets, API keys, and credentials. Applications are vulnerable if they use the affected SDK versions and their serve() endpoint is reachable via the aforementioned HTTP methods. The vulnerability was introduced in version 3.22.0 and fixed in 3.54.0. There are no known reports of active exploitation at this time.
Attack Chain
- The attacker identifies an Inngest application using a vulnerable SDK version (3.22.0 - 3.53.1).
- The attacker determines the application’s
serve()endpoint URL. - The attacker sends an HTTP request to the
serve()endpoint using thePATCH,OPTIONS, orDELETEmethod. - The Inngest SDK’s
serve()handler, lacking specific handling for these methods, falls through to a generic diagnostic handler. - The diagnostic handler inadvertently includes the contents of
process.envin its response. - The attacker receives the HTTP response containing the application’s environment variables.
- The attacker extracts sensitive information from the environment variables, such as API keys or credentials.
- The attacker uses the extracted credentials to gain unauthorized access to resources or perform malicious actions.
Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to access sensitive environment variables. This can lead to the exposure of API keys, database credentials, and other secrets, potentially leading to unauthorized access to internal systems, data breaches, or other malicious activities. The number of affected applications depends on the adoption rate of the vulnerable Inngest SDK versions. Sectors utilizing Inngest for background job processing or event-driven architectures are particularly at risk.
Recommendation
- Upgrade to
inngest@3.54.0or later to patch the vulnerability as mentioned in the overview. - Rotate any secrets that were present in environment variables (
process.env) within affected environments, including Inngest signing keys and event keys, as described in the remediation steps in the advisory. - Search logs for any requests to your
serveendpoints using thePATCH,OPTIONS,DELETEHTTP methods to assess if any environment variables may have been exposed, as described in the remediation steps in the advisory. - Adjust firewall or proxy rules to only allow requests to your
serveendpoint from Inngest IP addresses available at http://inngest.com/ips-v4 and http://inngest.com/ips-v6.
Detection coverage 2
Detect Inngest Serve Endpoint Access with Non-Standard HTTP Methods
mediumDetects requests to the Inngest serve endpoint using HTTP methods other than GET, POST, or PUT, which could indicate an attempt to exploit the environment variable exposure vulnerability.
Detect High Volume of HTTP OPTIONS Requests
lowDetects a high volume of HTTP OPTIONS requests which can be used for reconnaissance purposes. This can indicate an attempt to enumerate available resources and potentially identify vulnerable endpoints such as the Inngest serve endpoint.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | http://inngest.com/ips-v4 |
| url | http://inngest.com/ips-v6 |