| Title | Mage AI Mage AI Framwork 0.9.75 Insecure Default Initialization of Resource |
|---|
| Description | Basic Information:
Affected Product: Mage-AI
Affected Version: v0.9.75 (Tested Latest Release before the publication - 6 December 2024), the vulnerability was reported in v0.9.69 (Release - March 28, 2024)
Vulnerability Name: Insecure Default Authentication Setup Leading to Zero-Click RCE
Vulnerability Type: Insecure Default Configuration CWE-1188 (https://cwe.mitre.org/data/definitions/1188.html)
Vulnerability Severity Score (refer to CVSS 3.1): 9.8 Critical CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
VDP: https://github.com/mage-ai/mage-ai/security
Researcher: Aden Yap & Ali Radzali (BAE Systems DI)
Date Reported: 6 May 2024
Date Published: 27 Feburary 2025
Description:
The application lacks proper user authentication by default, allowing anyone to access it without authentication. Although there is an option to enable user authentication, it is not prominently displayed, and users may not be aware of its existence. This oversight poses a significant vulnerability. The absence of proper authentication opens the door for unauthorized access. An attacker could achieve zero-click remote code execution (RCE) due to this flaw. Essentially, an attacker can exploit the lack of authentication to execute arbitrary code without any user interaction. This represents a severe risk; this can lead to a compromise of the web service or the server.
Recommendation & Workaround:
We initially reported this issue to the Mage-AI, recommending that authentication be enabled by default during the application's setup process. This would ensure that users are protected out of the box, reducing the risk of unauthenticated access. However, Mage-AI did not acknowledge this as a security vulnerability, despite evidence showing that multiple real-world instances are affected. Given the potential risk to unaware users, we are publicly disclosing this information to raise awareness and help users secure their deployments.
Workaround Solution:
To protect your instance from unauthorised access and RCE, it is critical to manually enable authentication in your deployment. Since authentication is not enabled by default, users must explicitly configure it to secure their instances.
How to Enable Authentication Set the following environment variable when running the application:
-e REQUIRE_USER_AUTHENTICATION=1
For full configuration details, refer to the official documentation (https://docs.mage.ai/production/authentication/overview).
Since authentication settings are not prominently displayed during the application's setup, many users may be unknowingly deploy the application in an default insecure state. We strongly urge all users to verify their authentication settings and apply the necessary configuration changes immediately.
The details of the PoC and exploits:
https://github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md |
|---|
| Source | ⚠️ https://github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md |
|---|
| User | Anonymous User |
|---|
| Submission | 02/27/2025 08:40 AM (12 months ago) |
|---|
| Moderation | 03/09/2025 07:53 AM (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 299049 [Mage AI 0.9.75 insecure default initialization of resource] |
|---|
| Points | 20 |
|---|