CVE-2026-42047: Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
A vulnerability in the Inngest TypeScript SDK versions 3.22.0 through 3.53.1 allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler.
The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment.
References
- github.com/advisories/GHSA-2jf5-6wwv-vhxx
- github.com/inngest/inngest-js
- github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx
- nvd.nist.gov/vuln/detail/CVE-2026-42047
- vercel.com/docs/deployment-protection
- vercel.com/kb/guide/how-do-i-delete-an-individual-deployment
- www.inngest.com/docs/events/creating-an-event-key
- www.inngest.com/docs/learn/security
- www.inngest.com/docs/learn/serving-inngest-functions
- www.inngest.com/docs/platform/manage/rotating-keys
- www.inngest.com/docs/platform/signing-keys
Code Behaviors & Features
Detect and mitigate CVE-2026-42047 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →