CVE-2024-37162

MEDIUM

Idopesok Zsa < 0.3.3 - Error Information Exposure

Title source: rule

Description

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.

References (2)

[Vendor Advisory] https://github.com/IdoPesok/zsa/security/advisories/GHSA-wjmj-h3xc-hxp8

[Patch] https://github.com/IdoPesok/zsa/commit/86b86b282bde6780963f62406cc8bc65f2c86f3a

View Patch ZIP pw:eip

Scores

CVSS v3 4.0

EPSS 0.0032

EPSS Percentile 55.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (2)

idopesok/zsa < 0.3.3

npm/zsa 0 - 0.3.3npm

Published Jun 07, 2024

Tracked Since Feb 18, 2026