Executive Summary

This vulnerability exists in Inngest versions 3.22.0 through 3.53.1, where unauthenticated remote attackers can exfiltrate environment variables from the host process via the serve() HTTP handler.

The serve() handler supports GET, POST, and PUT methods, but requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. Due to a change introduced in version 3.22.0, this diagnostic response includes the contents of process.env, exposing secrets, API keys, or credentials present in the environment.

Applications are vulnerable if their serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). However, Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method are not affected.

The issue was fixed in version 3.54.0. As a workaround, if upgrading is not immediately possible, restricting the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT methods can mitigate the vulnerability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive environment variables such as secrets, API keys, or credentials from the host process to unauthenticated remote attackers.

Such exposure can compromise the security of the affected system by allowing attackers to gain unauthorized access to protected resources or services that rely on these secrets.

Because the vulnerability allows remote attackers to exfiltrate critical information without authentication, it poses a high risk of data breach and unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the serve() HTTP endpoint of Inngest versions 3.22.0 through 3.53.1 is reachable and responds to PATCH, OPTIONS, or DELETE HTTP methods with environment variable data.

A practical detection method is to send PATCH, OPTIONS, or DELETE requests to the serve() endpoint and observe if the response includes environment variables (process.env contents).

Example commands using curl to test the endpoint:

• curl -X PATCH http://your-server/serve -v
• curl -X OPTIONS http://your-server/serve -v
• curl -X DELETE http://your-server/serve -v

If the response to these requests contains environment variables or sensitive information, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to restrict the serve() endpoint to accept only GET, POST, and PUT HTTP methods at the framework or reverse-proxy layer.

This prevents PATCH, OPTIONS, or DELETE requests from reaching the serve() handler and exposing environment variables.

Additionally, upgrading Inngest to version 3.54.0 or later, where this vulnerability is fixed, is recommended as a permanent solution.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote attackers to exfiltrate environment variables from the host process, which may include secrets, API keys, or credentials. Exposure of such sensitive information can lead to unauthorized access to personal data or protected health information.

As a result, this vulnerability could impact compliance with regulations like GDPR and HIPAA, which require protection of sensitive data and credentials to prevent unauthorized disclosure.

Organizations using affected versions of Inngest should upgrade to version 3.54.0 or implement workarounds to restrict HTTP methods to mitigate the risk and maintain compliance.

Useful 0 Not Useful 0