starred/vinext
1
0
Fork 0
mirror of https://github.com/cloudflare/vinext.git synced 2026-05-09 08:25:34 +02:00
Code Issues 101 Projects Packages Wiki Activity

[PR #307] [CLOSED] 1 #464

New issue
Closed
opened 2026-05-06 13:08:13 +02:00 by BreizhHardware · 0 comments
BreizhHardware commented 2026-05-06 13:08:13 +02:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/307
Author: @hah312po
Created: 3/6/2026
Status: Closed

Base: mainHead: claude/security-vulnerability-audit-rCiUw

📝 Commits (10+)

  • 1f72b19 fix: comprehensive security vulnerability audit — 30 high/critical fixes
  • d8f176d fix: HTTP header injection via Link header and cookie prototype pollution
  • 1accdbd fix: sanitize Link header values in Pages Router dev server
  • f81704d fix: path traversal, prototype pollution, fetch cache race condition, TPR SSRF
  • 0cd55e0 fix: command injection in init.ts and code injection in tpr.ts
  • 4cbee71 fix: CI/CD supply chain hardening — remove id-token, stop logging webhook
  • 85921bc fix: allow localhost proxying in dev/test mode for SSRF protection
  • acd33b4 Add security vulnerability audit with evidence-based findings
  • 5a0b058 Add PoC exploit chains with step-by-step evidence for all 7 findings
  • 79898d1 Expand PoC 1, 2, 5 with full step-by-step attacker walkthroughs

📊 Changes

24 files changed (+2533 additions, -62 deletions)

View changed files

📝 .github/workflows/bigbonk.yml (+0 -1)
📝 .github/workflows/bonk.yml (+0 -1)
📝 .github/workflows/publish.yml (+2 -6)
SECURITY-AUDIT.md (+2230 -0)
📝 packages/vinext/src/cloudflare/tpr.ts (+21 -3)
📝 packages/vinext/src/config/config-matchers.ts (+55 -0)
📝 packages/vinext/src/config/dotenv.ts (+5 -3)
📝 packages/vinext/src/init.ts (+3 -1)
📝 packages/vinext/src/routing/app-router.ts (+16 -0)
📝 packages/vinext/src/server/api-handler.ts (+17 -5)
📝 packages/vinext/src/server/app-dev-server.ts (+12 -3)
📝 packages/vinext/src/server/dev-origin-check.ts (+29 -0)
📝 packages/vinext/src/server/dev-server.ts (+22 -8)
📝 packages/vinext/src/server/html.ts (+2 -1)
📝 packages/vinext/src/server/isr-cache.ts (+10 -0)
📝 packages/vinext/src/server/middleware-codegen.ts (+8 -0)
📝 packages/vinext/src/server/middleware.ts (+12 -1)
📝 packages/vinext/src/server/normalize-path.ts (+8 -0)
📝 packages/vinext/src/server/prod-server.ts (+7 -1)
📝 packages/vinext/src/shims/cache.ts (+14 -0)

...and 4 more files

📄 Description

1

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/307 **Author:** [@hah312po](https://github.com/hah312po) **Created:** 3/6/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `claude/security-vulnerability-audit-rCiUw` --- ### 📝 Commits (10+) - [`1f72b19`](https://github.com/cloudflare/vinext/commit/1f72b19883a00c887bed01de164cfe6cab2b107a) fix: comprehensive security vulnerability audit — 30 high/critical fixes - [`d8f176d`](https://github.com/cloudflare/vinext/commit/d8f176d27b22f32bf1f8a44ea0a35bd945e9d05a) fix: HTTP header injection via Link header and cookie prototype pollution - [`1accdbd`](https://github.com/cloudflare/vinext/commit/1accdbd2081d932dbe8b306b3bec904dc567b422) fix: sanitize Link header values in Pages Router dev server - [`f81704d`](https://github.com/cloudflare/vinext/commit/f81704d3adfd2c2a23fbc36799e788bf02bc8283) fix: path traversal, prototype pollution, fetch cache race condition, TPR SSRF - [`0cd55e0`](https://github.com/cloudflare/vinext/commit/0cd55e04697922553f83fc192b14d4ed9832af76) fix: command injection in init.ts and code injection in tpr.ts - [`4cbee71`](https://github.com/cloudflare/vinext/commit/4cbee718ed4cecf0dc5b1eb7d14ea46cc6d7a842) fix: CI/CD supply chain hardening — remove id-token, stop logging webhook - [`85921bc`](https://github.com/cloudflare/vinext/commit/85921bc4cbeaea2e20164e0652e23ccf6215b44b) fix: allow localhost proxying in dev/test mode for SSRF protection - [`acd33b4`](https://github.com/cloudflare/vinext/commit/acd33b4e2debf7ec9d72d5a12ac27721bdcfee30) Add security vulnerability audit with evidence-based findings - [`5a0b058`](https://github.com/cloudflare/vinext/commit/5a0b05875874af0a609d90ce9ee3abcf25e584ae) Add PoC exploit chains with step-by-step evidence for all 7 findings - [`79898d1`](https://github.com/cloudflare/vinext/commit/79898d1b149aa093e15220e6f4fa68a5f8b39419) Expand PoC 1, 2, 5 with full step-by-step attacker walkthroughs ### 📊 Changes **24 files changed** (+2533 additions, -62 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/bigbonk.yml` (+0 -1) 📝 `.github/workflows/bonk.yml` (+0 -1) 📝 `.github/workflows/publish.yml` (+2 -6) ➕ `SECURITY-AUDIT.md` (+2230 -0) 📝 `packages/vinext/src/cloudflare/tpr.ts` (+21 -3) 📝 `packages/vinext/src/config/config-matchers.ts` (+55 -0) 📝 `packages/vinext/src/config/dotenv.ts` (+5 -3) 📝 `packages/vinext/src/init.ts` (+3 -1) 📝 `packages/vinext/src/routing/app-router.ts` (+16 -0) 📝 `packages/vinext/src/server/api-handler.ts` (+17 -5) 📝 `packages/vinext/src/server/app-dev-server.ts` (+12 -3) 📝 `packages/vinext/src/server/dev-origin-check.ts` (+29 -0) 📝 `packages/vinext/src/server/dev-server.ts` (+22 -8) 📝 `packages/vinext/src/server/html.ts` (+2 -1) 📝 `packages/vinext/src/server/isr-cache.ts` (+10 -0) 📝 `packages/vinext/src/server/middleware-codegen.ts` (+8 -0) 📝 `packages/vinext/src/server/middleware.ts` (+12 -1) 📝 `packages/vinext/src/server/normalize-path.ts` (+8 -0) 📝 `packages/vinext/src/server/prod-server.ts` (+7 -1) 📝 `packages/vinext/src/shims/cache.ts` (+14 -0) _...and 4 more files_ </details> ### 📄 Description 1 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
BreizhHardware 2026-05-06 13:08:13 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
alt/prerender-rsc-sidechannel
codex/pages-router-suite-main
claude/dev-socket-emit-patch
james/wip-agent-test
codex/fix-wrangler-suspense-streaming
hrushikesh/add-semgrep-oss-workflow
fix/preload-link-header-uses-served-url
fix/isr-always-mark-dynamic-with-searchparams
fix/strip-set-cookie-from-app-route-isr-cache-clean
fix/app-pages-fallback-sees-middleware-overrides-v2
opencode/misty-river
opencode/calm-meadow
codex/pages-router-cjs-node-modules
codex/refresh-ai-docs-vp-vite8
fix/suspense-flash-navigation-639
fix/issue-589
fix/route-handler-dynamic-detection-v3
fix/route-handler-dynamic-detection-v2
fix/route-handler-dynamic-detection
opencode/quiet-nebula
fix/include-query-in-route-handler-isr-key
fix/block-dangerous-uri-schemes
fix/use-post-middleware-context-for-headers
opencode/playful-mountain
opencode/quiet-sailor
feat/payload-cms-fixture
feat/static-prerender-build
opencode/cosmic-knight
fix/isr-stream-tee-no-double-render
codex/wrangler-auth-ux
docs/update-contributing
improve/vitest-workspace-split
feat/auto-pr-review
docs/skills-field-learnings
feat/nuqs-e2e-clean
feat/next-font-implementation
fix/rsc-navigation-credentials
chonky-list
fix/cli-version
ci/commit-version-bump
ci/publish-chat-notification
opencode/mighty-mountain
fix/rsc-optimizedeps-react-server
v0.0.49
v0.0.48
v0.0.47
v0.0.46
v0.0.45
v0.0.44
v0.0.43
v0.0.42
v0.0.41
v0.0.40
v0.0.39
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
Labels
Clear labels   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
nextjs-tracking

   
nextjs-tracking

   
pull-request
Mirrored from GitHub Pull Request

No labels
enhancement
enhancement
good first issue
help wanted
nextjs-tracking
nextjs-tracking
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vinext#464
No description provided.