Miggo Logo
Miggo Vulnerability Database
CVE-2023-26108

CVE-2023-26108: @nestjs/core vulnerable to Information Exposure via StreamableFile pipe

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26108
GHSA ID
GHSA-4jpv-8r57-pv7j
EPSS Score
0.26166%
CWE
CWE-200
Published
3/6/2023
Updated
3/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@nestjs/corenpm< 9.0.59.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The primary vulnerability stemmed from ExpressAdapter's use of stream.pipe() instead of stream.pipeline(), which doesn't automatically close streams on cancellation/errors. The StreamableFile's error handler was also insufficient as it didn't account for mid-stream failures. The fix in PR #9819 replaced pipe() with pipeline() and added robust error handling, confirming these were the problematic areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** @n*stjs/*or* ***or* *.*.* *r* vuln*r**l* to In*orm*tion *xposur* vi* t** Str**m**l**il* pip*. *xploitin* t*is vuln*r**ility is possi*l* w**n t** *li*nt **n**ls * r*qu*st w*il* it is str**min* * Str**m**l**il*, t** str**m wr*pp

Reasoning

T** prim*ry vuln*r**ility st*mm** *rom `*xpr*ss***pt*r`'s us* o* `str**m.pip*()` inst*** o* `str**m.pip*lin*()`, w*i** *o*sn't *utom*ti**lly *los* str**ms on **n**ll*tion/*rrors. T** `Str**m**l**il*`'s *rror **n*l*r w*s *lso insu**i*i*nt *s it *i*n't