CVE-2024-29887

Name of the Vulnerable Software and Affected Versions Serverpod versions prior to 1.2.6

Description The issue bypasses the validation of TSL certificates on all non-web HTTP clients in the serverpod client package, making them susceptible to a man-in-the-middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and hijack the connection to the server for this issue to be exploited.

Recommendations For versions prior to 1.2.6, upgrade to version 1.2.6 to resolve the issue. As a temporary workaround, consider restricting access to the serverpod client package until the update is applied.