{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sse/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@yoda.digital/gitlab-mcp-server (\u003c 0.6.0)"],"_cs_severities":["high"],"_cs_tags":["gitlab","auth-bypass","sse","cors","vulnerability"],"_cs_type":"advisory","_cs_vendors":["GitLab"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@yoda.digital/gitlab-mcp-server\u003c/code\u003e exposes an unauthenticated SSE HTTP transport that allows anyone who can reach the server\u0026rsquo;s port to execute arbitrary GitLab API calls with the operator\u0026rsquo;s \u003ccode\u003eGITLAB_PERSONAL_ACCESS_TOKEN\u003c/code\u003e. This vulnerability exists because the server does not require any authentication for the \u003ccode\u003e/sse\u003c/code\u003e and \u003ccode\u003e/messages\u003c/code\u003e endpoints and uses a wildcard CORS policy, effectively allowing any website visited by the operator to interact with the server. This allows attackers to perform destructive operations such as deleting repositories or pushing malicious files. The issue was identified in commit \u003ccode\u003e80a7b4cf3fba6b55389c0ef491a48190f7c8996a\u003c/code\u003e of the \u003ccode\u003emcp-gitlab-server\u003c/code\u003e and affects versions prior to 0.6.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable \u003ccode\u003e@yoda.digital/gitlab-mcp-server\u003c/code\u003e instance running with \u003ccode\u003eUSE_SSE=true\u003c/code\u003e enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web page that, when visited by the operator, attempts to connect to the \u003ccode\u003e/sse\u003c/code\u003e endpoint of the GitLab MCP server.\u003c/li\u003e\n\u003cli\u003eDue to the wildcard CORS policy (\u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e), the browser allows the cross-origin request from the malicious page to succeed.\u003c/li\u003e\n\u003cli\u003eThe server establishes an SSE connection and provides the attacker with a session ID in the form of \u003ccode\u003e/messages?sessionId=\u0026lt;UUID\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious web page sends a POST request to the \u003ccode\u003e/messages?sessionId=\u0026lt;UUID\u0026gt;\u003c/code\u003e endpoint, specifying a \u003ccode\u003etools/call\u003c/code\u003e method with a desired GitLab API function (e.g., \u003ccode\u003edelete_repository\u003c/code\u003e, \u003ccode\u003epush_files\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server receives the unauthenticated request and, using the operator\u0026rsquo;s \u003ccode\u003eGITLAB_PERSONAL_ACCESS_TOKEN\u003c/code\u003e, executes the requested GitLab API call.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes repositories, pushes malicious files, or modifies repository settings on the targeted GitLab instance.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as compromising the integrity of the GitLab instance or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to perform arbitrary actions on a GitLab instance using the permissions of the operator\u0026rsquo;s \u003ccode\u003eGITLAB_PERSONAL_ACCESS_TOKEN\u003c/code\u003e. This includes deleting repositories, pushing malicious code, and modifying repository settings. The impact is significant as it allows complete compromise of the targeted GitLab instance. The vulnerability affects any instance where the \u003ccode\u003e@yoda.digital/gitlab-mcp-server\u003c/code\u003e is running with \u003ccode\u003eUSE_SSE=true\u003c/code\u003e and is network accessible, or when the operator visits a malicious webpage while running the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAs a short-term mitigation, if using SSE, immediately set the \u003ccode\u003eMCP_GITLAB_AUTH_TOKEN\u003c/code\u003e environment variable and validate that the server is checking this token on every request as suggested in the advisory to prevent unauthenticated access.\u003c/li\u003e\n\u003cli\u003eLimit network exposure by ensuring that the server is bound to \u003ccode\u003e127.0.0.1\u003c/code\u003e unless there\u0026rsquo;s a specific requirement for network accessibility. Configure the \u003ccode\u003eMCP_GITLAB_HOST\u003c/code\u003e variable and use the \u003ccode\u003eCORS_ORIGINS\u003c/code\u003e allowlist as described in the advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade to version 0.6.0 or later of \u003ccode\u003e@yoda.digital/gitlab-mcp-server\u003c/code\u003e when available to obtain the official fix and ensure that the SAML/OAuth3 authentication mechanisms described in the README are implemented to secure the SSE transport.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GitLab MCP Server Unauthenticated SSE Connection\u0026rdquo; to detect connections to the \u003ccode\u003e/sse\u003c/code\u003e endpoint, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GitLab MCP Server Unauthenticated API Call\u0026rdquo; to detect unauthenticated calls to the \u003ccode\u003e/messages\u003c/code\u003e endpoint, indicating exploitation via the SSE transport.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:47:00Z","date_published":"2024-01-26T18:47:00Z","id":"/briefs/2024-01-26-gitlab-mcp-server-auth-bypass/","summary":"The @yoda.digital/gitlab-mcp-server's SSE transport lacks authentication and uses wildcard CORS, enabling unauthenticated attackers to execute arbitrary GitLab API calls using the operator's GitLab PAT, including destructive operations.","title":"GitLab MCP Server Unauthenticated Access via SSE Transport","url":"https://feed.craftedsignal.io/briefs/2024-01-26-gitlab-mcp-server-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Sse","version":"https://jsonfeed.org/version/1.1"}