Intel

AIKIDO-2026-924948

@trigger.dev/core is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

39

Low Risk

This Affects:

JS@trigger.dev/core
3.0.0 - 4.4.4
Fixed in 4.4.5
Are you affected? Scan for Free

TL;DR

The error serialization helpers in @trigger.dev/core turn thrown errors into TaskRunError objects and OpenTelemetry spans without bounding the size of the error stack or message. When a task throws an error carrying a very large stack trace or message, the runtime serializes the entire unbounded payload. This can exhaust the worker process memory and crash the run with an out-of-memory failure, so a single oversized error can take down the task worker. The fix truncates oversized stack traces and messages in parseError, sanitizeError, and span recording.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@trigger.dev/core is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 4.4.4.

How to fix this

Upgrade the @trigger.dev/core library to the patch version.