Soumettre #855264: waooAI waoowaoo 0.4.1 Improper Access Controlinformation

TitrewaooAI waoowaoo 0.4.1 Improper Access Control
DescriptionA vulnerability was found in waooAI waoowaoo 0.4.1 and classified as medium severity. The affected version was verified from package.json version 0.4.1 at commit 30bf17e6293503895af66cc4a59548bdf478633d. Affected is the media object routing and storage signing functionality. The application derives a stable public media identifier from only the storage object key: publicId = "m_" + sha256(storageKey).slice(0, 40) The MediaObject database model stores globally unique publicId and storageKey values, but does not store a user, tenant, project, or asset owner security scope. The /m/[publicId] route resolves a global MediaObject by publicId, creates a signed URL for media.storageKey, and streams the object without requiring authentication or checking whether the caller owns the project or asset that references the media. A related endpoint, /api/storage/sign?key=..., also returns a signed object URL for any supplied key without authentication. The manipulation of the publicId route parameter, or the key query parameter on the storage signing endpoint, leads to unauthorized access to private user media. It is possible to launch the attack remotely against network-reachable deployments. Authentication required: no. User interaction required: no. Technical Details - Affected file/function: src/lib/media/hash.ts / stablePublicIdFromStorageKey() - Affected file/function: src/lib/media/service.ts / ensureMediaObjectFromStorageKey(), getMediaObjectByPublicId() - Affected file/function: src/app/m/[publicId]/route.ts / GET(), HEAD() - Related file/function: src/app/api/storage/sign/route.ts / GET() - Vulnerable parameter: publicId route parameter - Related parameter: key query parameter - Attack vector: Network - Privileges required: None - Trigger condition: a victim media object exists and the attacker knows, obtains, or can infer a valid storageKey or /m/<publicId> URL Minimal Proof of Concept Given a victim media object with storageKey "uploads/cat.png", the stable media publicId is: m_61528aebee09284f2c313f9751fcfba79511c259 An unauthenticated request to: GET /m/m_61528aebee09284f2c313f9751fcfba79511c259 causes the route to resolve the global MediaObject, sign the stored storageKey, and stream the underlying object without user or project authorization. If the storage key itself is known, an unauthenticated request to: GET /api/storage/sign?key=uploads%2Fcat.png also redirects to a signed object URL. Impact - Confidentiality: High - Integrity: None - Availability: None The exposed data may include user-uploaded or AI-generated images, videos, audio files, voice samples, character assets, scene assets, and other project media. Direct remote code execution was not observed. Data modification was not observed through this route. CVSS v3.1 Score: 5.9 (Medium) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N The attack is assessed with high attack complexity because exploitation generally requires the attacker to know, obtain, or infer a valid storage key or stable media URL. Once such an identifier is known, retrieval is reliable and does not require authentication. Timeline - Discovered: 2026-06-10 - Vendor notified: 2026-06-10 - Patch released: [unknown] - Public disclosure: 2026-06-10 Countermeasure Bind MediaObject records and media retrieval to a security scope such as user, tenant, project, or asset ownership, and enforce that scope in /m/[publicId] before signing or streaming the object. Alternatively, make media public IDs unguessable bearer tokens scoped to the intended access policy. The /api/storage/sign endpoint should require authorization or verify that the caller is allowed to access the requested storage key before returning a signed object URL. Existing media rows may require a migration/backfill strategy.
La source⚠️ https://github.com/waooAI/waoowaoo/issues/201
Utilisateur
 Dem0000000 (UID 98743)
Soumission10/06/2026 18:08 (il y a 1 mois)
Modérer13/07/2026 16:01 (1 month later)
StatutAccepté
Entrée VulDB378109 [waooAI waoowaoo jusqu’à 0.4.1 Media src/lib/media/hash.ts stablePublicIdFromStorageKey storageKey élévation de privilèges]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!