Severity: Critical
CVSS Score: 10
### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 #### Summary A series of moderate to high-severity security vulnerabilities have been identified specifically in version **7.0.7 of \`taylored\`**. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches. **All users who have installed or generated a \`taysell-server\` using version 7.0.7 of \`taylored\` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below.** Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues. #### Vulnerabilities Patched in v7.0.8 Version 7.0.8 addresses the following issues found in the v7.0.7 template: 1. **Path Traversal in Patch Download:** The patch download endpoint did not properly sanitize the user-provided \`patchId\`. An attacker could have crafted a request with path traversal sequences (e.g., \`../../etc/passwd\`) to read arbitrary files from the server's filesystem. The \`patchId\` is now sanitized to ensure only files within the intended patches directory can be accessed. 2. **Missing PayPal Webhook Validation:** The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches. 3. **Purchase Token Replay Vulnerability:** A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use. 4. **Insufficient PBKDF2 Iterations:** The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened. ### Required Actions To fix these vulnerabilities, users of version **7.0.7** must **upgrade the \`taylored\` tool and regenerate their \`taysell-server\` instance**. Please follow these steps carefully: 1. **Upgrade to the Secure Version of \`taylored\`:** Open your terminal and run the following command to install the latest version: \`\`\`bash npm install -g taylored@latest \`\`\` Verify that you have version 7.0.8 or later. 2. **Remove the Vulnerable Backend:** Navigate to the project directory where you previously generated the backend with v7.0.7 and **completely delete the old \`taysell-server\` directory**. \`\`\`bash # Back up any customizations if necessary rm -rf taysell-server \`\`\` 3. **Generate the New, Secure Backend:** From the same directory, run the \`setup-backend\` command again using the upgraded \`taylored\` tool. This will create a new \`taysell-server\` directory with the patched, secure code. \`\`\`bash taylored setup-backend \`\`\` Follow the prompts and enter your PayPal credentials and server configuration. **Using a new, strong, and unique \`PATCH_ENCRYPTION_KEY\` is highly recommended.** 4. **Recreate and Re-upload Commercial Patches:** Due to the cryptography improvements, **patches created with version 7.0.7 are not compatible with the new, secure backend**. You must recreate them: * For each of your commercial patches, run the \`taylored create-taysell\` command again. * Upload the new encrypted files (e.g., \`patch-name.taylored.encrypted\`) to the \`patches/\` directory of your new \`taysell-server\`. 5. **Launch the New Server:** Start your new backend using Docker Compose: \`\`\`bash cd taysell-server docker-compose up --build -d \`\`\` For questions or support, please refer to the official documentation or open an issue on our GitHub repository. Thank you for your attention to this important update.