CVE-2023-26108: @nestjs/core vulnerable to Information Exposure via StreamableFile pipe
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.26166%
CWE
Published
3/6/2023
Updated
3/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @nestjs/core | npm | < 9.0.5 | 9.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The primary vulnerability stemmed from ExpressAdapter's use of stream.pipe() instead of stream.pipeline(), which doesn't automatically close streams on cancellation/errors. The StreamableFile's error handler was also insufficient as it didn't account for mid-stream failures. The fix in PR #9819 replaced pipe() with pipeline() and added robust error handling, confirming these were the problematic areas.