N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8g98-m4j9-qww5

EPSS Score

CWE

CWE-22

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-8g98-m4j9-qww5

GHSA-8g98-m4j9-qww5:
Taylored webhook validation vulnerabilities

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5

Summary

A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of `taylored`. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches.

All users who have installed or generated a `taysell-server` using version 7.0.7 of `taylored` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below. Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues.

Vulnerabilities Patched in v7.0.8

Version 7.0.8 addresses the following issues found in the v7.0.7 template:

Path Traversal in Patch Download: The patch download endpoint did not properly sanitize the user-provided `patchId`. An attacker could have crafted a request with path traversal sequences (e.g., `../../etc/passwd`) to read arbitrary files from the server's filesystem. The `patchId` is now sanitized to ensure only files within the intended patches directory can be accessed.
Missing PayPal Webhook Validation: The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches.
Purchase Token Replay Vulnerability: A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use.
Insufficient PBKDF2 Iterations: The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened.

Required Actions

To fix these vulnerabilities, users of version 7.0.7 must upgrade the `taylored` tool and regenerate their `taysell-server` instance.

Please follow these steps carefully:

Upgrade to the Secure Version of `taylored`: Open your terminal and run the following command to install the latest version: ```bash npm install -g taylored@latest ``` Verify that you have version 7.0.8 or later.
Remove the Vulnerable Backend: Navigate to the project directory where you previously generated the backend with v7.0.7 and completely delete the old `taysell-server` directory. ```bash

Back up any customizations if necessary

rm -rf taysell-server ```
Generate the New, Secure Backend: From the same directory, run the `setup-backend` command again using the upgraded `taylored` tool. This will create a new `taysell-server` directory with the patched, secure code. ```bash taylored setup-backend ``` Follow the prompts and enter your PayPal credentials and server configuration. Using a new, strong, and unique `PATCH_ENCRYPTION_KEY` is highly recommended.
Recreate and Re-upload Commercial Patches: Due to the cryptography improvements, patches created with version 7.0.7 are not compatible with the new, secure backend. You must recreate them:
- For each of your commercial patches, run the `taylored create-taysell` command again.
- Upload the new encrypted files (e.g., `patch-name.taylored.encrypted`) to the `patches/` directory of your new `taysell-server`.
Launch the New Server: Start your new backend using Docker Compose: ```bash cd taysell-server docker-compose up --build -d ```

For questions or support, please refer to the official documentation or open an issue on our GitHub repository.

Thank you for your attention to this important update.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8g98-m4j9-qww5

EPSS Score

CWE

CWE-22

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
taylored	npm	>= 7.0.5, < 7.0.8	7.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerabilities reside in the 'Backend-in-a-Box' template (taysell-server) generated by taylored version 7.0.7. The analysis of the commit 57b7634391959dbbdb39b387ac4dc68157cd58a1 and the security advisory GHSA-8g98-m4j9-qww5 reveals several issues:

Path Traversal: The /get-patch endpoint in templates/backend-in-a-box/index.js did not sanitize the patchId parameter, allowing arbitrary file reads. The vulnerable code pattern involved the direct use of patchId in path.join.
Missing Webhook Validation: The /paypal/webhook endpoint in templates/backend-in-a-box/index.js did not verify the signature of incoming PayPal webhooks, allowing attackers to spoof purchase completion events. The patch added cryptographic verification.
Token Replay: The /get-patch endpoint allowed reuse of purchase tokens as it lacked a mechanism to mark tokens as used. The patch introduced the token_used_at field and corresponding checks.
Insufficient PBKDF2 Iterations: Both the patch encryption function (encryptAES256GCM in lib/taysell-utils.ts) and the decryption function (decryptAES256GCM in templates/backend-in-a-box/index.js) used a low PBKDF2 iteration count (100,000), weakening the encryption. The patch increased this to 310,000.

The identified functions are the direct handlers of malicious input or perform cryptographic operations with weakened parameters. These functions would appear in runtime profiles or stack traces during exploitation or when processing affected data.

Vulnerable functions

handler.POST:/get-patch

templates/backend-in-a-box/index.js

This Express.js route handler was vulnerable to path traversal because it used the user-supplied `patchId` from the request body to construct a file path for patch download without proper sanitization. An attacker could provide a crafted `patchId` (e.g., `../../etc/passwd`) to read arbitrary files from the server. Additionally, it was vulnerable to purchase token replay because it did not invalidate purchase tokens after their first use, allowing a legitimate token to be reused indefinitely to download patches.

handler.POST:/paypal/webhook

templates/backend-in-a-box/index.js

This Express.js route handler was vulnerable because it processed incoming PayPal webhook notifications without cryptographically verifying their authenticity (e.g., checking the signature). An attacker could send a spoofed webhook request to this endpoint, tricking the server into believing a payment was successfully completed, thereby gaining unauthorized access to paid patches.

decryptAES256GCM

templates/backend-in-a-box/index.js

This function, responsible for decrypting patches in the backend server, used PBKDF2 for key derivation with an insufficient number of iterations (100,000). This made the encryption weaker and more susceptible to offline brute-force attacks if an attacker obtained an encrypted patch file and had or could guess the encryption key.

encryptAES256GCM

lib/taysell-utils.ts

This function, used by the `taylored` CLI tool to encrypt commercial patches before they are uploaded to the server, employed PBKDF2 for key derivation with an insufficient number of iterations (100,000). This resulted in patches being encrypted with a weaker key, making them more susceptible to brute-force attacks if the encrypted files were obtained by an attacker.

WAF Protection Rules

WAF Rule

### *riti**l S**urity **visory *or T*ylor** npm p**k*** v*.*.* - t** *.*.* #### Summ*ry * s*ri*s o* mo**r*t* to *i**-s*v*rity s**urity vuln*r**iliti*s **v* ***n i**nti*i** sp**i*i**lly in v*rsion ***.*.* o* \`t*ylor**\`**. T**s* vuln*r**iliti*s r*s

Reasoning

T** vuln*r**iliti*s r*si** in t** '***k*n*-in-*-*ox' t*mpl*t* (`t*ys*ll-s*rv*r`) **n*r*t** *y `t*ylor**` v*rsion *.*.*. T** *n*lysis o* t** *ommit `****************************************` *n* t** s**urity **visory **S*-****-m*j*-qww* r*v**ls s*v*r*

N/A

Basic Information

Concerned about an active attack path?

GHSA-8g98-m4j9-qww5: Taylored webhook validation vulnerabilities

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5

Summary

Vulnerabilities Patched in v7.0.8

Required Actions

Back up any customizations if necessary

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-8g98-m4j9-qww5:
Taylored webhook validation vulnerabilities

Vulnerability Intelligence
Miggo AI