Listen to this Post
The vulnerability exists because DevSpace’s UI server WebSocket (ws://127.0.0.1:8090) accepts connections from any origin by default. This violates the Same-Origin Policy. When a developer runs `devspace ui` locally and simultaneously browses the internet, a malicious website can open a cross-origin WebSocket connection to the local DevSpace instance. The browser’s same-origin restrictions do not apply to WebSockets if the server does not validate the `Origin` header. DevSpace’s `gorilla/websocket` implementation fails to call `CheckOrigin` or sets an insecure `CheckOrigin` function that returns `true` for all origins (e.g., func(r http.Request) bool { return true }). As a result, an attacker-controlled webpage can connect to `ws://127.0.0.1:8090` and send crafted messages to three critical endpoints:
– `/api/logs` → streams real-time pod logs (exposes secrets, environment variables, application output).
– `/api/enter` → opens an interactive shell inside the running pod (full container access).
– `/api/command` → executes pre-defined pipeline commands (runs arbitrary code in the developer’s cluster context).
The attack requires no authentication because the UI server listens on localhost with no origin checks. A simple `new WebSocket(“ws://127.0.0.1:8090”)` from any malicious site triggers the exploit. The developer only needs to have `devspace ui` active. Versions < 6.3.21 are vulnerable. The patch enforces proper `Origin` validation using gorilla/websocket’s `CheckOrigin` to allow only same-origin or explicitly trusted origins.
dailycve form (3 words max per line):
Platform: DevSpace UI
Version: <6.3.21
Vulnerability: Cross-origin WebSocket
Severity: Critical
Date: Not specified
Prediction: Patched v6.3.21
What Undercode Say:
Simulate cross-origin WebSocket attack from malicious site
In browser console while devspace ui is running (port 8090)
ws = new WebSocket("ws://127.0.0.1:8090");
ws.onopen = () => ws.send(JSON.stringify({endpoint: "/api/logs", namespace: "default", pod: "app-pod"}));
ws.onmessage = (e) => console.log("Logs:", e.data);
Check vulnerable server’s origin policy (using curl to upgrade)
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Origin: https://evil.com" -H "Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==" -H "Sec-WebSocket-Version: 13" http://127.0.0.1:8090/api/logs
Watch for missing 403 Forbidden when Origin is foreign
How Exploit:
1. Attacker hosts `evil.com` with JavaScript: `new WebSocket(“ws://127.0.0.1:8090”)`.
2. Victim runs `devspace ui` and visits `evil.com`.
- Malicious site connects to victim’s local DevSpace WebSocket.
- Attacker sends JSON messages targeting `/api/enter` → interactive shell.
- Shell runs `kubectl get secrets -n kube-system` for lateral movement.
Protection from this CVE:
- Upgrade to DevSpace ≥ 6.3.21 immediately.
- If upgrade impossible, stop `devspace ui` when not in use.
- Bind UI server to `127.0.0.1` only (default) but add firewall rule to block external access.
- Enforce `CheckOrigin` in custom deployment:
var upgrader = websocket.Upgrader{CheckOrigin: func(r http.Request) bool { return r.Header.Get("Origin") == "http://127.0.0.1:8090" }}.
Impact:
- Full pod log exposure (secrets, tokens, application data).
- Unauthenticated remote shell inside developer’s cluster pod.
- Execution of pipeline commands leading to cluster compromise.
- Attacker pivots from localhost to cloud infrastructure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
