config.json publicly available as a vulnerability issue

106 views
Skip to first unread message

Matyas F. Bajger

unread,
Jan 21, 2026, 11:19:55 AM (11 days ago) Jan 21
to DSpace Technical Support

Hello!

We have been announced by external audit about the potential vulnerability in config.json file that is available on web at url path /assets/config.json (like https://demo.dspace.org/assets/config.json ) and physically stored among deployed dSpace web files in the same directory. The report is attached below. This config file contains configuration values that may expose external architecture, like internal port of node.js.
We have solved this issue by prohibiting access to the file in apache configuration - we have added to httpd.conf:
<Location "/assets/config.json">
    Require all denied
</Location>

Has anybody more faced this issue, please? It refers to all dSpace version 7-9 and probably should be solved generally.

Thanks advance and happy dSpacing!

Matyas F. Bajger
University of Ostrava - University library
https://library.osu.eu

-----------------------------------------------------------------------------------------------------------------------------------


Summary of the Issue
Issue Type: Exposed config.json / Information Disclosure
Technology: HTTP / JSON Configuration File
Severity: Critical
Affected Host: https://eduard.osu.cz/assets/config.json
Description
During testing, it was observed that the config.json file is publicly accessible on the affected host. The file discloses base URL configuration values, including references such as "http://localhost:4000/" and "https://eduo.osu.cz/server". This information may expose internal service architecture and could be leveraged by an attacker for further reconnaissance or exploitation.
No sensitive credentials or active exploitation was observed during testing.
Potential Risks
Exposure of API configuration and application settings
Assistance in reconnaissance and mapping of system architecture
Increased risk of targeted attacks when combined with other vulnerabilities
Recommended Remediation
Restrict public access to API configuration files
Ensure sensitive configuration data is not exposed via public endpoints
Review server configuration to prevent information disclosure

DSpace Technical Support

unread,
Jan 26, 2026, 10:37:31 AM (6 days ago) Jan 26
to DSpace Technical Support
All,

Just an update on this report from Matyas.  We've been in touch with Matyas privately, and have verified that you should **not block access** to your "config.json".   This "config.json" file is meant to be public as it's runtime configuration for the Angular User Interface.  It's required to be public for client-side rendering (CSR) to function properly.  This means that, if you block access to the "config.json", then any pages/paths in your "ssr > excludePathPatterns" settings will fail to load properly.

Therefore, if this public "config.json" is reported as a security vulnerability by your scanners, this is a false positive.  This file generally contains configurations which are already discoverable via the user interface, as these settings are used by the user's browser to run the Angular UI and contact the REST API.

That said, based on this report from Matyas, we have created a ticket (#5030) to ensure we are minimizing the information/settings that are available in this public "config.json".  Specifically, we're looking to remove any server-side specific configurations (especially those related to server-side rendering or SSR like the "rest > ssrBaseUrl"), as those could be moved to a private config file.  This change will help to minimize any unnecessary information in the public "config.json", and decrease the likelihood of security scanners flagging this file.

If there are any questions, feel free to ask them in this thread or on that ticket itself.

Tim
Reply all
Reply to author
Forward
0 new messages