GHSA-8G98-M4J9-QWW5

Vulnerability from github – Published: 2025-06-18 17:51 – Updated: 2025-06-18 17:51
VLAI
Summary
Taylored webhook validation vulnerabilities
Details

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5

Summary

A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of `taylored`. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches.

All users who have installed or generated a `taysell-server` using version 7.0.7 of `taylored` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below. Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues.

Vulnerabilities Patched in v7.0.8

Version 7.0.8 addresses the following issues found in the v7.0.7 template:

  1. Path Traversal in Patch Download: The patch download endpoint did not properly sanitize the user-provided `patchId`. An attacker could have crafted a request with path traversal sequences (e.g., `../../etc/passwd`) to read arbitrary files from the server's filesystem. The `patchId` is now sanitized to ensure only files within the intended patches directory can be accessed.
  2. Missing PayPal Webhook Validation: The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches.
  3. Purchase Token Replay Vulnerability: A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use.
  4. Insufficient PBKDF2 Iterations: The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened.

Required Actions

To fix these vulnerabilities, users of version 7.0.7 must upgrade the `taylored` tool and regenerate their `taysell-server` instance.

Please follow these steps carefully:

  1. Upgrade to the Secure Version of `taylored`: Open your terminal and run the following command to install the latest version: ```bash npm install -g taylored@latest ``` Verify that you have version 7.0.8 or later.

  2. Remove the Vulnerable Backend: Navigate to the project directory where you previously generated the backend with v7.0.7 and completely delete the old `taysell-server` directory. ```bash # Back up any customizations if necessary rm -rf taysell-server ```

  3. Generate the New, Secure Backend: From the same directory, run the `setup-backend` command again using the upgraded `taylored` tool. This will create a new `taysell-server` directory with the patched, secure code. ```bash taylored setup-backend ``` Follow the prompts and enter your PayPal credentials and server configuration. Using a new, strong, and unique `PATCH_ENCRYPTION_KEY` is highly recommended.

  4. Recreate and Re-upload Commercial Patches: Due to the cryptography improvements, patches created with version 7.0.7 are not compatible with the new, secure backend. You must recreate them:

    • For each of your commercial patches, run the `taylored create-taysell` command again.
    • Upload the new encrypted files (e.g., `patch-name.taylored.encrypted`) to the `patches/` directory of your new `taysell-server`.
  5. Launch the New Server: Start your new backend using Docker Compose: ```bash cd taysell-server docker-compose up --build -d ```

For questions or support, please refer to the official documentation or open an issue on our GitHub repository.

Thank you for your attention to this important update.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "taylored"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.5"
            },
            {
              "fixed": "7.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-294",
      "CWE-345",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-18T17:51:03Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5\n\n#### Summary\n\nA series of moderate to high-severity security vulnerabilities have been identified specifically in version **7.0.7 of \\`taylored\\`**. These vulnerabilities reside in the \"Backend-in-a-Box\" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches.\n\n**All users who have installed or generated a \\`taysell-server\\` using version 7.0.7 of \\`taylored\\` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below.** Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues.\n\n#### Vulnerabilities Patched in v7.0.8\n\nVersion 7.0.8 addresses the following issues found in the v7.0.7 template:\n\n1.  **Path Traversal in Patch Download:** The patch download endpoint did not properly sanitize the user-provided \\`patchId\\`. An attacker could have crafted a request with path traversal sequences (e.g., \\`../../etc/passwd\\`) to read arbitrary files from the server\u0027s filesystem. The \\`patchId\\` is now sanitized to ensure only files within the intended patches directory can be accessed.\n2.  **Missing PayPal Webhook Validation:** The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches.\n3.  **Purchase Token Replay Vulnerability:** A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use.\n4.  **Insufficient PBKDF2 Iterations:** The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened.\n\n### Required Actions\n\nTo fix these vulnerabilities, users of version **7.0.7** must **upgrade the \\`taylored\\` tool and regenerate their \\`taysell-server\\` instance**.\n\nPlease follow these steps carefully:\n\n1.  **Upgrade to the Secure Version of \\`taylored\\`:**\n    Open your terminal and run the following command to install the latest version:\n    \\`\\`\\`bash\n    npm install -g taylored@latest\n    \\`\\`\\`\n    Verify that you have version 7.0.8 or later.\n\n2.  **Remove the Vulnerable Backend:**\n    Navigate to the project directory where you previously generated the backend with v7.0.7 and **completely delete the old \\`taysell-server\\` directory**.\n    \\`\\`\\`bash\n    # Back up any customizations if necessary\n    rm -rf taysell-server\n    \\`\\`\\`\n\n3.  **Generate the New, Secure Backend:**\n    From the same directory, run the \\`setup-backend\\` command again using the upgraded \\`taylored\\` tool. This will create a new \\`taysell-server\\` directory with the patched, secure code.\n    \\`\\`\\`bash\n    taylored setup-backend\n    \\`\\`\\`\n    Follow the prompts and enter your PayPal credentials and server configuration. **Using a new, strong, and unique \\`PATCH_ENCRYPTION_KEY\\` is highly recommended.**\n\n4.  **Recreate and Re-upload Commercial Patches:**\n    Due to the cryptography improvements, **patches created with version 7.0.7 are not compatible with the new, secure backend**. You must recreate them:\n    * For each of your commercial patches, run the \\`taylored create-taysell\\` command again.\n    * Upload the new encrypted files (e.g., \\`patch-name.taylored.encrypted\\`) to the \\`patches/\\` directory of your new \\`taysell-server\\`.\n\n5.  **Launch the New Server:**\n    Start your new backend using Docker Compose:\n    \\`\\`\\`bash\n    cd taysell-server\n    docker-compose up --build -d\n    \\`\\`\\`\n\nFor questions or support, please refer to the official documentation or open an issue on our GitHub repository.\n\nThank you for your attention to this important update.",
  "id": "GHSA-8g98-m4j9-qww5",
  "modified": "2025-06-18T17:51:03Z",
  "published": "2025-06-18T17:51:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tailot/taylored/security/advisories/GHSA-8g98-m4j9-qww5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tailot/taylored/commit/57b7634391959dbbdb39b387ac4dc68157cd58a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tailot/taylored"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Taylored webhook validation vulnerabilities"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…