Listen to this Post
How the CVE Works
The vulnerability is an authentication logic flaw in the API key creation endpoint. The code derives the user context using session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no user session is present, the `authRequired` flag is incorrectly set to `false` if a `userId` is provided in the request body. This results in the user object being set to an attacker-controlled ID. Because `authRequired` is false, critical server-side validations that check for proper authentication are skipped. This allows an unauthenticated attacker to submit a malicious payload containing any user’s ID, which the application accepts and uses to create a new, fully functional API key for the specified victim without any access control checks. The same flawed pattern exists in the API key update endpoint.
DailyCVE Form
Platform: ZeroPath
Version: Pre-1.2.3
Vulnerability: Authentication Bypass
Severity: Critical
date: 2024-10-15
Prediction: Patch 2024-10-29
What Undercode Say:
`curl -X POST http://localhost:3000/api/auth/api-key/create -H ‘Content-Type: application/json’ -d ‘{“userId”: “victim-id”, “name”: “attacker-key”}’`
How Exploit:
Send unauthenticated POST request to `/api/auth/api-key/create` with target `userId` in JSON body to generate a valid API key for any user.
Protection from this CVE
Update to patched version. Implement strict authentication checks. Validate user context exclusively from session.
Impact:
Complete account takeover. Full privilege escalation. Unauthorized data access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
