SCA: security update for inngest (GHSA-2jf5-6wwv-vhxx)

high Tenable Cloud Security Plugin ID 441641

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Inngest is a platform for running event-driven and scheduled background functions with queueing, retries,
and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated
remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler.
The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall
through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused
this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or
credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable
via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's
app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and
applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around
this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or
reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any
other HTTP methods. (CVE-2026-42047)

Solution

Update the inngest library and its related packages to version 3.54.0 or later.

See Also

https://github.com/advisories/GHSA-2jf5-6wwv-vhxx

Plugin Details

Severity: High

ID: 441641

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/11/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.26

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-42047

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2026

Vulnerability Publication Date: 5/5/2026

Reference Information

CVE: CVE-2026-42047