| Título | better-auth better-icons 1.0.5 Code Injection |
|---|
| Descripción | A vulnerability was found in better-auth/better-icons 1.0.5. The issue affects the MCP tools sync_icon and scan_project_icons, with the strongest impact in sync_icon. The affected parameters are icons_file and component_name.
The sync_icon tool accepts a caller-controlled icons_file path and writes generated component source code to that path without enforcing a trusted project root, workspace boundary, extension allowlist, or canonical path containment. If the parent directory does not exist, the implementation creates it recursively. If the target file already exists, the implementation reads it and rewrites it with a new icon component appended. As a result, an MCP client that can invoke sync_icon can create or modify source files at attacker-chosen process-writable paths, including paths outside the intended project directory.
In addition, sync_icon accepts a caller-controlled component_name value and inserts it directly into generated framework source templates. In JavaScript and TypeScript output, this value becomes part of an export declaration. Because component_name is not validated as a JavaScript identifier or safely escaped before template generation, a malicious value can break out of the intended declaration shape and inject top-level source code into the generated file.
The confirmed direct primitive is attacker-controlled source-file creation or modification at an attacker-chosen path. Code execution occurs when the victim project later imports, builds, or runs the generated file, which matches the intended use case of this MCP server. In the public reproduction, a malicious component_name injected a require("child_process").execSync(...) payload into a generated .tsx file, and the payload executed when the file was later evaluated by a TypeScript runtime loader.
The scan_project_icons tool is also affected by the unconfined icons_file parameter. It reads the caller-supplied path and discloses matching icon definitions from files that match the parser's expected pattern. This is a weaker attacker-chosen file read with pattern-based disclosure, not full arbitrary file-content disclosure.
Affected package: better-icons
Affected version: 1.0.5
Affected commit: 033316ecb8f4982235af4111a2257e80231f5ab1
Affected tools: sync_icon, scan_project_icons
Affected parameters: icons_file, component_name
Transport tested: stdio MCP
CWE: CWE-22 / CWE-73 / CWE-94
CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Suggested severity: High
Suggested remediation: enforce path confinement and identifier validation before source generation. Resolve icons_file with realpath and require it to remain inside an operator-configured project root or explicitly approved workspace. Reject absolute paths, traversal attempts, and symlink escapes outside the trusted root. Enforce an allowlist of expected source/component extensions. Validate component_name against a strict JavaScript identifier pattern before it reaches any framework source-code template. Also validate icon_id and audit all code-generation templates and call sites that use icons_file, component_name, customName, or iconId. |
|---|
| Fuente | ⚠️ https://github.com/better-auth/better-icons/issues/18 |
|---|
| Usuario | Mcfly_Zhang (UID 98877) |
|---|
| Sumisión | 2026-06-10 02:37 (hace 1 mes) |
|---|
| Moderación | 2026-07-12 14:51 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 377865 [better-auth better-icons hasta 1.0.5 scan_project_icons/sync_icon icons_file recorrido de directorios] |
|---|
| Puntos | 20 |
|---|