Invia #829403: HKUDS nanobot <= 0.1.5.post3 Missing Origin Validation in WebSockets (CWE-1385)informazioni

TitoloHKUDS nanobot <= 0.1.5.post3 Missing Origin Validation in WebSockets (CWE-1385)
Descrizione# Technical Details A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the `setupClient` method in `bridge/src/server.ts` of nanobot. The application fails to validate the Origin header during WebSocket handshakes when `BRIDGE_TOKEN` is unset, allowing untrusted cross-site connections. # Vulnerable Code File: bridge/src/server.ts Method: setupClient Why: The connection handler accepts any client connection without Origin validation when the optional `BRIDGE_TOKEN` is not configured, parsing and executing untrusted payload as bridge commands. # Reproduction 1. Ensure the victim is running Nanobot WhatsApp Bridge locally with `BRIDGE_TOKEN` unset (the default configuration). 2. Have the victim visit an attacker-controlled webpage containing a malicious WebSocket client. 3. The webpage connects to `ws://127.0.0.1:3001` and sends bridge commands (e.g., `send` or `send_media`). 4. The bridge processes the commands, bypassing origin trust boundaries. # Impact - Unauthorized local session control and message sending via the bridge. - Exposure of bridge-delivered WhatsApp events and QR flow metadata. - Abuse of the victim's active messaging context.
Fonte⚠️ https://gist.github.com/YLChen-007/023d2eb61c05dafc9bdc44a95938fe7a
Utente
 Eric-b (UID 96354)
Sottomissione14/05/2026 07:13 (2 mesi fa)
Moderazione14/06/2026 09:05 (1 month later)
StatoDuplicato
Voce VulDB357650 [HKUDS nanobot fino a 0.1.4 Bridge API bridge/src/server.ts BRIDGE_TOKEN Esecuzione di codice remoto]
Punti0

Might our Artificial Intelligence support you?

Check our Alexa App!