Skip to content

Commit d222567

Browse files
1 parent 7c6bf11 commit d222567

2 files changed

Lines changed: 142 additions & 0 deletions

File tree

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4hf8-5mjm-rfgq",
4+
"modified": "2026-06-26T21:50:50Z",
5+
"published": "2026-06-26T21:50:49Z",
6+
"aliases": [
7+
"CVE-2026-49357"
8+
],
9+
"summary": "Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication",
10+
"details": "# Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication\n\n## Summary\n\n`line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application.\n\nThis is High for deployments where the HTTP port is reachable beyond the local host, because the server acts with the user authority of the logged-in LINE Desktop session. It is lower if the listener is strictly firewalled to trusted local clients.\n\n## Affected version\n\nRepository: `dtwang/line-desktop-mcp`\n\nCurrent source checked: `fbed0d2d3048e63f48a356a1267ed8ec5e78f3ae` on `main`, committed 2026-05-14.\n\nPublished npm package checked: `line-desktop-mcp@1.1.1`.\n\n## Source evidence\n\n`README.md` documents Streamable HTTP mode:\n\n```text\nnpx line-desktop-mcp@latest --http-mode --port 3000\n```\n\nThe same README documents MCP endpoints at `/mcp` and explains that this mode is intended for clients such as n8n.\n\n`src/server.js` registers LINE Desktop tools including:\n\n- `get_line_chatroom_history_default`\n- `get_line_chatroom_history_long`\n- `get_line_chatroom_history_short`\n- `send_message_manual`\n- `send_message_auto`\n\nThose tool handlers call into the desktop automation layer: `getChatHistory(...)` and `sendChatMessage(...)`.\n\nIn HTTP mode, `src/server.js` creates an Express app and Streamable HTTP transport, accepts POSTs to `/mcp`, creates sessions, connects the transport to the MCP server, and calls `transport.handleRequest(...)`. I did not find an authentication or bearer-token check before session creation or tool invocation.\n\nThe listener is explicitly network-bound:\n\n```js\napp.listen(port, 0.0.0.0, () => {\n console.error(`LINE Desktop MCP Server running on Streamable HTTP mode`);\n console.error(` Local: http://127.0.0.1:${port}${endpoint}`);\n console.error(` Network: http://0.0.0.0:${port}${endpoint}`);\n});\n```\n\n## Vulnerability chain\n\n1. A user starts the server with `--http-mode --port 3000`.\n2. The server binds on `0.0.0.0:3000`, not only loopback.\n3. A network client reaches `/mcp` and sends the normal MCP initialize request.\n4. The server creates a Streamable HTTP session without authenticating the caller.\n5. The caller can list and invoke LINE Desktop tools.\n6. Tool calls execute through the logged-in LINE Desktop application on the user workstation.\n\n## Impact\n\nAn unauthenticated network client can read LINE chat history through the MCP history tools and can send LINE messages through the send-message tools, including `send_message_auto` when the tool call requests immediate sending. The attacker does not need LINE credentials or a LINE API token; they only need network reachability to the MCP HTTP port.\n\nThe practical impact is disclosure of private LINE conversations and unauthorized messages sent as the logged-in desktop user.\n\n## Suggested fix\n\nRequire authentication before accepting Streamable HTTP MCP sessions or tool calls. For example:\n\n- require a bearer token or local secret when `--http-mode` is used;\n- bind HTTP mode to `127.0.0.1` by default unless the operator explicitly opts into network exposure;\n- refuse to start `0.0.0.0` HTTP mode without authentication;\n- document that `host.docker.internal` / n8n setups must still authenticate to the MCP server.\n\nA defense-in-depth improvement would also keep `send_message_auto` disabled unless explicitly enabled by a server-side flag, because it converts MCP tool access into immediate message sending as the desktop user.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "line-desktop-mcp"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.1.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.1.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/dtwang/line-desktop-mcp/security/advisories/GHSA-4hf8-5mjm-rfgq"
45+
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49357"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/dtwang/line-desktop-mcp/commit/680617894981ea93f8f6ceb51ecde7519754d501"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/dtwang/line-desktop-mcp"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-306",
62+
"CWE-862"
63+
],
64+
"severity": "HIGH",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-06-26T21:50:49Z",
67+
"nvd_published_at": "2026-06-19T14:16:23Z"
68+
}
69+
}
Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6cp8-v795-jr2j",
4+
"modified": "2026-06-26T21:53:07Z",
5+
"published": "2026-06-26T21:53:07Z",
6+
"aliases": [
7+
"CVE-2026-47066"
8+
],
9+
"summary": "Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry",
10+
"details": "### Summary\n\n[CVE-2026-47066](https://nvd.nist.gov/vuln/detail/CVE-2026-47066) is an infinite loop (CWE-835) in hackney's Alt-Svc response header parser (`src/hackney_altsvc.erl`). When an HTTP server returns an `Alt-Svc` header whose value begins with a non-token byte (e.g. `!`, `@`, `=`, `;`), the parser enters a tight tail-recursive loop that pins an Erlang scheduler at 100% CPU and permanently hangs the calling connection process. Because the parser is invoked synchronously on every HTTP response, any attacker-controlled origin can trigger the hang with a single-byte header value.\n\n### Details\n\n**1. Parser dispatch**\n\n`parse_and_cache/3` is called inside the hackney connection process on each HTTP response. It collects all `Alt-Svc` header values via `collect_altsvc_headers/1`, concatenates them, and passes the result to `parse/1`, which calls `parse_entries(Header, [])`.\n\n**2. Failed token consumption**\n\n`parse_entries/2` → `parse_entry/1` → `parse_protocol/1` → `parse_token(Data, <<>>)`. The function `parse_token/2` pattern-matches leading bytes: alphanumeric, `-`, `_`, whitespace, and comma all have explicit clauses. Any other byte (e.g. `!`) falls through to the catch-all:\n\n```erlang\nparse_token(Rest, <<>>) -> {undefined, Rest}.\n```\n\nThis returns the *input unchanged* — no byte is consumed.\n\n**3. No-progress loop**\n\n`parse_entry` propagates `{undefined, Rest}` back to `parse_entries/2`, which calls `skip_comma(Rest)`. Because the first byte is not `,`, `skip_comma` also returns `Rest` unchanged. `parse_entries` then recurses with the identical buffer:\n\n```erlang\nparse_entries(Data, Acc) % Data identical to previous iteration\n```\n\nErlang tail recursion never preempts on a pure CPU loop, so the scheduler is pinned and the process never yields or returns.\n\n**4. Root cause**\n\n`parse_entries/2` has no guard that detects zero-byte progress after a failed `parse_entry` call and no fallback to advance past the offending byte.\n\n### PoC\n\n1. Start an HTTP server that responds with the header `Alt-Svc: !` (any single non-token byte suffices).\n2. Issue any HTTP GET request via hackney to that server:\n ```erlang\n hackney:request(get, \"http://attacker.example/\", [], <<>>, [])\n ```\n3. Observe that the call never returns; the Erlang scheduler hosting the connection process is pinned at 100% CPU indefinitely.\n\nAlternatively, call the parser directly: `hackney_altsvc:parse(<<\"!\">>)` — the process hangs immediately.\n\n### Impact\n\nDenial of service via unbounded CPU consumption. Any application using hackney 2.0.0-beta.1 through 4.0.0 that connects to attacker-controlled HTTP endpoints is affected. No authentication is required; a single response header byte is sufficient to hang the connection process. Fixed in hackney 4.0.1. CVSS v4.0 score: **8.7 (HIGH)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/408e5fe20302226ea8c74dde2bcbd452d712b5b2\n* Patch commit: https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Hex",
21+
"name": "hackney"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "2.0.0"
29+
},
30+
{
31+
"fixed": "4.0.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47066"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://cna.erlef.org/cves/CVE-2026-47066.html"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/benoitc/hackney"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47066"
62+
}
63+
],
64+
"database_specific": {
65+
"cwe_ids": [
66+
"CWE-835"
67+
],
68+
"severity": "HIGH",
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-06-26T21:53:07Z",
71+
"nvd_published_at": "2026-05-25T15:16:21Z"
72+
}
73+
}

0 commit comments

Comments
 (0)