logo

Database

Server side template injection In @nestjs/common

Description

nest allows a remote attacker to execute arbitrary code via the Content-Type header File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-294092. NVD-2024-294093. OSV-2024-294094. GCVE-2024-29409

References

1. https://github.com/nestjs/nest/issues/13311#issuecomment-19938394952. https://github.com/nestjs/nest/issues/148763. https://github.com/nestjs/nest/issues/14876#issuecomment-27968880384. https://github.com/nestjs/nest/pull/148815. https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f6. https://github.com/nestjs/nest/blob/83a48b2c7396985144b7a6cd5d3bee1abb7c5d81/packages/common/pipes/file/file-type.validator.ts#L197. https://github.com/nestjs/nest/releases/tag/v10.4.168. https://github.com/nestjs/nest/releases/tag/v11.0.16

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.