logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-8g98-m4j9-qww5 taylored

Package

Manager: npm
Name: taylored
Vulnerable Version: >=7.0.5 <7.0.8

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Taylored webhook validation vulnerabilities ### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 #### Summary A series of moderate to high-severity security vulnerabilities have been identified specifically in version **7.0.7 of \`taylored\`**. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches. **All users who have installed or generated a \`taysell-server\` using version 7.0.7 of \`taylored\` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below.** Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues. #### Vulnerabilities Patched in v7.0.8 Version 7.0.8 addresses the following issues found in the v7.0.7 template: 1. **Path Traversal in Patch Download:** The patch download endpoint did not properly sanitize the user-provided \`patchId\`. An attacker could have crafted a request with path traversal sequences (e.g., \`../../etc/passwd\`) to read arbitrary files from the server's filesystem. The \`patchId\` is now sanitized to ensure only files within the intended patches directory can be accessed. 2. **Missing PayPal Webhook Validation:** The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches. 3. **Purchase Token Replay Vulnerability:** A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use. 4. **Insufficient PBKDF2 Iterations:** The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened. ### Required Actions To fix these vulnerabilities, users of version **7.0.7** must **upgrade the \`taylored\` tool and regenerate their \`taysell-server\` instance**. Please follow these steps carefully: 1. **Upgrade to the Secure Version of \`taylored\`:** Open your terminal and run the following command to install the latest version: \`\`\`bash npm install -g taylored@latest \`\`\` Verify that you have version 7.0.8 or later. 2. **Remove the Vulnerable Backend:** Navigate to the project directory where you previously generated the backend with v7.0.7 and **completely delete the old \`taysell-server\` directory**. \`\`\`bash # Back up any customizations if necessary rm -rf taysell-server \`\`\` 3. **Generate the New, Secure Backend:** From the same directory, run the \`setup-backend\` command again using the upgraded \`taylored\` tool. This will create a new \`taysell-server\` directory with the patched, secure code. \`\`\`bash taylored setup-backend \`\`\` Follow the prompts and enter your PayPal credentials and server configuration. **Using a new, strong, and unique \`PATCH_ENCRYPTION_KEY\` is highly recommended.** 4. **Recreate and Re-upload Commercial Patches:** Due to the cryptography improvements, **patches created with version 7.0.7 are not compatible with the new, secure backend**. You must recreate them: * For each of your commercial patches, run the \`taylored create-taysell\` command again. * Upload the new encrypted files (e.g., \`patch-name.taylored.encrypted\`) to the \`patches/\` directory of your new \`taysell-server\`. 5. **Launch the New Server:** Start your new backend using Docker Compose: \`\`\`bash cd taysell-server docker-compose up --build -d \`\`\` For questions or support, please refer to the official documentation or open an issue on our GitHub repository. Thank you for your attention to this important update.

Metadata

Created: 2025-06-18T17:51:03Z
Modified: 2025-06-18T17:51:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8g98-m4j9-qww5/GHSA-8g98-m4j9-qww5.json
CWE IDs: ["CWE-22", "CWE-294", "CWE-345", "CWE-916"]
Alternative ID: N/A
Finding: F063
Auto approve: 1