@trigger.dev/core is vulnerable to Denial of Service (DoS)
39
Low Risk
The error serialization helpers in @trigger.dev/core turn thrown errors into TaskRunError objects and OpenTelemetry spans without bounding the size of the error stack or message. When a task throws an error carrying a very large stack trace or message, the runtime serializes the entire unbounded payload. This can exhaust the worker process memory and crash the run with an out-of-memory failure, so a single oversized error can take down the task worker. The fix truncates oversized stack traces and messages in parseError, sanitizeError, and span recording.
You are affected if you are using a version that falls within the vulnerable range.
@trigger.dev/core is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 4.4.4.
Upgrade the @trigger.dev/core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant