All, Just an update on this report from Matyas. We've been in touch with Matyas privately, and have verified that you should **not block access** to your "config.json". This "config.json" file is meant to be public as it's runtime configuration for the Angular User Interface. It's required to be public for client-side rendering (CSR) to function properly. This means that, if you block access to the "config.json", then any pages/paths in your "ssr > excludePathPatterns" settings <https://wiki.lyrasis.org/display/DSDOC9x/User+Interface+Configuration#UserInterfaceConfiguration-ServerSideRendering(SSR)Settings> will fail to load properly.
Therefore, if this public "config.json" is reported as a security vulnerability by your scanners, this is a *false positive. *This file generally contains configurations which are already discoverable via the user interface, as these settings are used by the user's browser to run the Angular UI and contact the REST API. That said, based on this report from Matyas, we have created a ticket (#5030 <https://github.com/DSpace/dspace-angular/issues/5030>) to ensure we are *minimizing the information/settings* that are available in this public "config.json". Specifically, we're looking to remove any server-side specific configurations (especially those related to server-side rendering or SSR like the "rest > ssrBaseUrl"), as those could be moved to a private config file. This change will help to minimize any unnecessary information in the public "config.json", and decrease the likelihood of security scanners flagging this file. If there are any questions, feel free to ask them in this thread or on that ticket itself. Tim On Wednesday, January 21, 2026 at 10:19:55 AM UTC-6 [email protected] wrote: > Hello! > > We have been announced by external audit about the potential vulnerability > in config.json file that is available on web at url path > /assets/config.json (like https://demo.dspace.org/assets/config.json ) > and physically stored among deployed dSpace web files in the same > directory. The report is attached below. This config file contains > configuration values that may expose external architecture, like internal > port of node.js. > We have solved this issue by prohibiting access to the file in apache > configuration - we have added to httpd.conf: > <Location "/assets/config.json"> > Require all denied > </Location> > > Has anybody more faced this issue, please? It refers to all dSpace version > 7-9 and probably should be solved generally. > > Thanks advance and happy dSpacing! > > Matyas F. Bajger > University of Ostrava - University library > https://library.osu.eu > > > *-----------------------------------------------------------------------------------------------------------------------------------* > > > *Summary of the Issue* > Issue Type: Exposed config.json / Information Disclosure > Technology: HTTP / JSON Configuration File > Severity: Critical > Affected Host: https://eduard.osu.cz/assets/config.json > Description > During testing, it was observed that the config.json file is publicly > accessible on the affected host. The file discloses base URL configuration > values, including references such as "http://localhost:4000/"; and " > https://eduo.osu.cz/server";. This information may expose internal service > architecture and could be leveraged by an attacker for further > reconnaissance or exploitation. > No sensitive credentials or active exploitation was observed during > testing. > Potential Risks > Exposure of API configuration and application settings > Assistance in reconnaissance and mapping of system architecture > Increased risk of targeted attacks when combined with other vulnerabilities > Recommended Remediation > Restrict public access to API configuration files > Ensure sensitive configuration data is not exposed via public endpoints > Review server configuration to prevent information disclosure > -- All messages to this mailing list should adhere to the Code of Conduct: https://lyrasis.org/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/badf21c9-82af-4430-aa74-633191076fcan%40googlegroups.com.
