Generation of Error Message Containing Sensitive Information Affecting zsa package, versions <0.3.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ZSA-7218891
  • published 7 Jun 2024
  • disclosed 6 Jun 2024
  • credit Tom Sherman

How to fix?

Upgrade zsa to version 0.3.3 or higher.

Overview

zsa is a zsa is a library for building typesafe server actions in Next.js. It provides a simple, scalable developer experience with features like validated inputs/outputs, procedures (middleware) for passing context to server actions, and React Query integration

Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information due to the error message generation process. An attacker can obtain sensitive server information, such as machine usernames and directory paths, by exploiting the transfer of parse error stacks from the server to the client in production build mode.

References

CVSS Scores

version 3.1
Expand this section

Snyk

5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None