CVE-2024-37162

low-risk
Published 2024-06-07

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.

Do I need to act?

-
0.32% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.0/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Zsa

Affected Vendors

Idopesok

References (4)

Patch https://github.com/IdoPesok/zsa/commit/86b86b282bde6780963f62406cc8bc65f2c86f3a
Vendor Advisory https://github.com/IdoPesok/zsa/security/advisories/GHSA-wjmj-h3xc-hxp8
Patch https://github.com/IdoPesok/zsa/commit/86b86b282bde6780963f62406cc8bc65f2c86f3a
Vendor Advisory https://github.com/IdoPesok/zsa/security/advisories/GHSA-wjmj-h3xc-hxp8
20
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal