PT-2025-27338 · Npm · Taylored
Publicado
2025-06-18
·
Atualizado
2025-06-18
Nenhuma
Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5
Summary
A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of
taylored. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches.All users who have installed or generated a
taysell-server using version 7.0.7 of taylored are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below. Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues.Vulnerabilities Patched in v7.0.8
Version 7.0.8 addresses the following issues found in the v7.0.7 template:
- Path Traversal in Patch Download: The patch download endpoint did not properly sanitize the user-provided
patchId. An attacker could have crafted a request with path traversal sequences (e.g.,../../etc/passwd) to read arbitrary files from the server's filesystem. ThepatchIdis now sanitized to ensure only files within the intended patches directory can be accessed. - Missing PayPal Webhook Validation: The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches.
- Purchase Token Replay Vulnerability: A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use.
- Insufficient PBKDF2 Iterations: The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened.
Required Actions
To fix these vulnerabilities, users of version 7.0.7 must upgrade the
taylored tool and regenerate their taysell-server instance.Please follow these steps carefully:
- Upgrade to the Secure Version of
taylored: Open your terminal and run the following command to install the latest version:
bash
npm install -g taylored@latestVerify that you have version 7.0.8 or later.
- Remove the Vulnerable Backend:
Navigate to the project directory where you previously generated the backend with v7.0.7 and completely delete the old
taysell-serverdirectory.
bash
# Back up any customizations if necessary
rm -rf taysell-server- Generate the New, Secure Backend:
From the same directory, run the
setup-backendcommand again using the upgradedtayloredtool. This will create a newtaysell-serverdirectory with the patched, secure code.
bash
taylored setup-backendFollow the prompts and enter your PayPal credentials and server configuration. Using a new, strong, and unique
PATCH ENCRYPTION KEY is highly recommended.- Recreate and Re-upload Commercial Patches: Due to the cryptography improvements, patches created with version 7.0.7 are not compatible with the new, secure backend. You must recreate them:
- For each of your commercial patches, run the
taylored create-taysellcommand again. - Upload the new encrypted files (e.g.,
patch-name.taylored.encrypted) to thepatches/directory of your newtaysell-server.
- Launch the New Server: Start your new backend using Docker Compose:
bash
cd taysell-server
docker-compose up --build -dFor questions or support, please refer to the official documentation or open an issue on our GitHub repository.
Thank you for your attention to this important update.
Path traversal
Insufficient Verification of Data Authenticity
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Taylored