CVE-2026-42047— Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42047
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
Source: NVD (National Vulnerability Database)
Vulnerability Description
Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
inngest-js 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
inngest-js是Inngest开源的一个支持多种无服务器平台的可靠事件驱动与后台任务执行框架。 inngest-js 3.22.0版本至3.53.1版本存在信息泄露漏洞,该漏洞源于serve() HTTP处理程序对PATCH、OPTIONS或DELETE请求返回诊断信息,其中包含process.env内容,可能导致未经身份验证的远程攻击者从主机进程窃取环境变量。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| inngest | inngest-js | >= 3.22.0, < 3.54.0 | - |
II. Public POCs for CVE-2026-42047
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42047
请登录查看更多情报信息。
- Release inngest@3.54.1 · inngest/inngest-js · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42047
IV. Related Vulnerabilities
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2026-42047
No comments yet