Health Dataspace MVP Exposes Critical CVEs in Next.js, OTel SDK, Undici During Penetration Test Prep

A planned penetration test for the Minimum Viable Health Dataspace v2 has revealed multiple high-severity vulnerabilities in its core dependencies, raising immediate security risks for the demo platform. The automated scan, using Trivy and npm audit, identified critical flaws in the Next.js framework, the OpenTelemetry Go SDK, and the Undici HTTP client that could lead to denial-of-service attacks, arbitrary code execution, and request smuggling.

The scan, dated March 28, 2026, flags three primary high-risk issues requiring remediation. The UI, built on Next.js version 14.2.35, is vulnerable to an HTTP request deserialization DoS attack via insecure React Server Components, with fixes only available in versions 15.0.8 or 16.0.11. The vendor code, using `go.opentelemetry.io/otel/sdk` v1.39.0, contains a PATH hijacking vulnerability allowing arbitrary code execution, patched in v1.40.0. Furthermore, the UI's development dependency `undici` harbors six distinct vulnerabilities, including WebSocket DoS, HTTP smuggling, and CRLF injection.

This exposure occurs within a limited test scope focused on the web UI, API layer, and DSP/DCP protocol probing for the MVP. The findings signal significant pressure to harden the application's software supply chain before any broader deployment. A full production penetration test covering infrastructure, network, and OIDC federation remains on the roadmap, but these initial results underscore that foundational security gates are currently failing. The integration of Trivy as the primary SAST/CVE scanner in CI, alongside the existing `npm audit` gate, is now a critical remediation path to prevent these vulnerabilities from reaching a production environment.