{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/engramx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["engramx"],"_cs_severities":["high"],"_cs_tags":["csrf","prompt-injection","engramx"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eengramx\u003c/code\u003e HTTP server, which is enabled by default and listens on \u003ccode\u003e127.0.0.1:7337\u003c/code\u003e, is vulnerable to Cross-Site Request Forgery (CSRF) and prompt injection attacks in versions prior to 2.0.2. This vulnerability stems from a combination of a wildcard CORS policy (\u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e) and the absence of authentication by default. An attacker could exploit this by enticing a developer to visit a malicious web page, leading to the exfiltration of sensitive data from the local knowledge graph and the injection of malicious payloads. The vulnerability was discovered and responsibly disclosed by @gabiudrescu in engram issue #7. Defenders should prioritize upgrading to version 2.0.2 or implementing the provided workarounds to mitigate the risk of unauthorized access and persistent compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer installs a vulnerable version of \u003ccode\u003eengramx\u003c/code\u003e (\u0026gt;= 1.0.0, \u0026lt; 2.0.2) and the HTTP server starts by default.\u003c/li\u003e\n\u003cli\u003eThe server binds to \u003ccode\u003e127.0.0.1:7337\u003c/code\u003e and serves requests without requiring authentication unless \u003ccode\u003eENGRAM_API_TOKEN\u003c/code\u003e is explicitly set.\u003c/li\u003e\n\u003cli\u003eA developer visits a malicious website in their browser.\u003c/li\u003e\n\u003cli\u003eThe malicious website crafts a cross-origin request to \u003ccode\u003e127.0.0.1:7337\u003c/code\u003e due to the \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/query\u003c/code\u003e or \u003ccode\u003e/stats\u003c/code\u003e is sent, exfiltrating the local knowledge graph, including function names, file layout, and recorded decisions/mistakes.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/learn\u003c/code\u003e is sent with a crafted prompt-injection payload, exploiting the lack of \u003ccode\u003eContent-Type: application/json\u003c/code\u003e enforcement.\u003c/li\u003e\n\u003cli\u003eThe injected payload is written as \u003ccode\u003emistake\u003c/code\u003e/\u003ccode\u003edecision\u003c/code\u003e nodes in the knowledge graph.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s AI coding agent is persistently reminded of the injected payload on every future session and file edit, leading to compromised code generation and execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the compromise of sensitive developer data, including internal function names, file layouts, and coding decisions, allowing attackers to gain insights into the target\u0026rsquo;s projects. Furthermore, the injection of persistent prompt-injection payloads can lead to the ongoing corruption of the user\u0026rsquo;s AI coding agent, potentially causing the generation of flawed or malicious code. While the exact number of affected users is unknown, any developer using a vulnerable version of \u003ccode\u003eengramx\u003c/code\u003e is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eengramx@2.0.2\u003c/code\u003e or later to apply the remediation measures outlined in the advisory.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, do \u003cstrong\u003enot\u003c/strong\u003e run \u003ccode\u003eengram server\u003c/code\u003e or \u003ccode\u003eengram ui\u003c/code\u003e as a workaround.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eengram server\u003c/code\u003e must be run, set \u003ccode\u003eENGRAM_API_TOKEN\u003c/code\u003e to a long random value and terminate the server before browsing the web (as noted in the advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect engramx API access without authentication\u0026rdquo; to identify potentially unauthorized access attempts to the engramx API.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 7337 on localhost, filtering for unexpected processes initiating connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-engram-csrf-prompt-injection/","summary":"The engramx HTTP server, enabled by default and binding to 127.0.0.1:7337, is vulnerable to CSRF and prompt injection attacks, allowing a malicious website to exfiltrate the local knowledge graph and inject persistent prompt-injection payloads.","title":"engramx vulnerable to CSRF enabling graph exfiltration and prompt injection","url":"https://feed.craftedsignal.io/briefs/2024-01-engram-csrf-prompt-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Engramx","version":"https://jsonfeed.org/version/1.1"}