GHSA-8g98-m4j9-qww5: 
JavaScript vulnerability analysis and mitigation

A series of critical security vulnerabilities were identified in version 7.0.7 of the taylored npm package, specifically affecting its 'Backend-in-a-Box' template. The vulnerabilities were discovered and disclosed on June 18, 2025, impacting versions >= 7.0.5 and < 7.0.8. The affected package is used for backend server implementations and patch distribution systems (GitHub Advisory).

The vulnerability comprises multiple security issues: 1) A path traversal vulnerability in the patch download endpoint where user-provided patchId was not properly sanitized, 2) Missing cryptographic verification of PayPal webhook notifications, 3) A purchase token replay vulnerability allowing indefinite reuse of legitimate tokens, and 4) Insufficient PBKDF2 iterations (100,000) in the key derivation function, making encrypted patches susceptible to brute-force attacks. The issues were addressed by implementing proper input sanitization, PayPal SDK webhook verification, token invalidation after use, and increasing PBKDF2 iterations to 310,000 (GitHub Commit).

The vulnerabilities could allow malicious actors to read arbitrary files from the server's filesystem through path traversal attacks, gain unauthorized access to paid patches by spoofing payment notifications, reuse purchase tokens indefinitely to download patches multiple times, and potentially decrypt protected patches through brute-force attacks due to weak key derivation parameters (GitHub Advisory).

Users must upgrade to version 7.0.8 or later and follow specific mitigation steps: 1) Install the latest version using npm install -g taylored@latest, 2) Remove the vulnerable backend by deleting the old taysell-server directory, 3) Generate a new secure backend using the setup-backend command, 4) Recreate and re-upload all commercial patches due to cryptography improvements, and 5) Launch the new server using Docker Compose. A new, strong, and unique PATCHENCRYPTIONKEY is recommended (GitHub Advisory).