Homepage
About Snyk

Generation of Error Message Containing Sensitive Information Affecting zsa package, versions <0.3.3

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ZSA-7218891
  • published 7 Jun 2024
  • disclosed 6 Jun 2024
  • credit Tom Sherman
Report a new vulnerability Found a mistake?

Introduced: 6 Jun 2024

CVE-2024-37162 Open this link in a new tab
CWE-209 Open this link in a new tab

How to fix?

Upgrade zsa to version 0.3.3 or higher.

Overview

zsa is a zsa is a library for building typesafe server actions in Next.js. It provides a simple, scalable developer experience with features like validated inputs/outputs, procedures (middleware) for passing context to server actions, and React Query integration

Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information due to the error message generation process. An attacker can obtain sensitive server information, such as machine usernames and directory paths, by exploiting the transfer of parse error stacks from the server to the client in production build mode.

References

CVSS Scores

version 3.1
Expand this section

Snyk

5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None