payload 3.0.0-canary.f83d96a vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the payload package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the external file upload endpoint due to insufficient validation of HTTP redirects. An attacker can access internal network resources and retrieve response content from internal services by submitting crafted external URLs for file uploads. Note: This is only exploitable if at least one collection has upload enabled and the attacker has create access to that upload-enabled collection. How to fix Server-side Request Forgery (SSRF)? Upgrade `payload` to version 3.75.0 or higher.	<3.75.0
L Authorization Bypass Through User-Controlled Key payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the auth collections in multi-auth collection environments using Postgres or SQLite with serial or auto-increment IDs. An attacker can access and delete preferences belonging to users in different authentication collections by exploiting numeric ID collisions. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `payload` to version 3.74.0 or higher.	<3.74.0
M Insufficient Session Expiration payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate JSON Web Tokens after user log out. An attacker can maintain unauthorised access by reusing a stolen or intercepted token until its expiration date. How to fix Insufficient Session Expiration? Upgrade `payload` to version 3.44.0 or higher.	<3.44.0
M Insufficient Session Expiration payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Insufficient Session Expiration due to the reuse of user identifiers in the account creation process. An attacker can gain unauthorised access to a newly created user account by reusing a previously saved JSON Web Token (JWT) after deleting the original account. How to fix Insufficient Session Expiration? Upgrade `payload` to version 3.44.0 or higher.	<3.44.0

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

payload is a Node, React and MongoDB Headless CMS and Application Framework

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the external file upload endpoint due to insufficient validation of HTTP redirects. An attacker can access internal network resources and retrieve response content from internal services by submitting crafted external URLs for file uploads.

Note:

This is only exploitable if at least one collection has upload enabled and the attacker has create access to that upload-enabled collection.

How to fix Server-side Request Forgery (SSRF)?

Upgrade payload to version 3.75.0 or higher.

<3.75.0

Authorization Bypass Through User-Controlled Key

payload is a Node, React and MongoDB Headless CMS and Application Framework

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the auth collections in multi-auth collection environments using Postgres or SQLite with serial or auto-increment IDs. An attacker can access and delete preferences belonging to users in different authentication collections by exploiting numeric ID collisions.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade payload to version 3.74.0 or higher.

<3.74.0

Insufficient Session Expiration

payload is a Node, React and MongoDB Headless CMS and Application Framework

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate JSON Web Tokens after user log out. An attacker can maintain unauthorised access by reusing a stolen or intercepted token until its expiration date.

How to fix Insufficient Session Expiration?

Upgrade payload to version 3.44.0 or higher.

<3.44.0

Insufficient Session Expiration

payload is a Node, React and MongoDB Headless CMS and Application Framework

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the reuse of user identifiers in the account creation process. An attacker can gain unauthorised access to a newly created user account by reusing a previously saved JSON Web Token (JWT) after deleting the original account.

How to fix Insufficient Session Expiration?

Upgrade payload to version 3.44.0 or higher.

<3.44.0

payload@3.0.0-canary.f83d96a vulnerabilities

Node, React, Headless CMS and Application Framework built on Next.js

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically