CVE-2023-26108

EUVD-2023-0867
Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
snykCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Affected Products (NVD)
VendorProductVersion
nestjsnest
𝑥
< 9.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nestjs/nest/issues/9759
https://github.com/nestjs/nest/pull/9819
https://github.com/nestjs/nest/pull/9819/commits/f59cf5e81ca73bcdf1b5b36713550fd93918db41
https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127
https://github.com/nestjs/nest/issues/9759
https://github.com/nestjs/nest/pull/9819
https://github.com/nestjs/nest/pull/9819/commits/f59cf5e81ca73bcdf1b5b36713550fd93918db41
https://security.snyk.io/vuln/SNYK-JS-NESTJSCORE-2869127