CVE-2017-12112
Description
An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cpp-ethereum's JSON-RPC API (commit 4e101574) lacks authorization on admin_addPeer, letting remote attackers bypass admin restrictions.
Vulnerability
An exploitable improper authorization vulnerability exists in the admin_addPeer API of cpp-ethereum's JSON-RPC server at commit 4e1015743b95821849d001618a7ce82c7c073768 [1]. The API does not perform any authorization check, allowing a remote attacker without credentials to invoke restricted functionality that should require administrator privileges. The server is bound to 0.0.0.0 by default, exposing the interface to the network. Additionally, the Content-Type header is not enforced, making the API easily reachable via CSRF or SSRF attacks [1]. No visible option exists to change the default binding to localhost [1].
Exploitation
An attacker can send a crafted JSON-RPC request to the admin_addPeer endpoint from any network position, requiring only the ability to reach the exposed server interface [1]. No authentication or user interaction is needed. The lack of CORS headers and Content-Type enforcement further enables exploitation through cross-domain requests, including CSRF or SSRF [1]. No special timing or race condition is required.
Impact
Successful exploitation allows an attacker to bypass the intended administrator authorization and invoke admin_addPeer, potentially adding a malicious peer to the node's peer list [1]. This results in an information disclosure vulnerability (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N) [1]. The attacker gains low-level information disclosure of network peer data, but does not achieve direct code execution or full system compromise based on available references.
Mitigation
As of the publication date (2018-01-19), no patched version has been identified in the available references [1]. Users are advised to restrict network access to the JSON-RPC server (e.g., bind to localhost only) and implement additional authentication or reverse proxy protections. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Monitor the cpp-ethereum project for future security updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= commit 4e1015743b95821849d001618a7ce82c7c073768
- Talos/CPP-Ethereumv5Range: Ethereum commit 4e1015743b95821849d001618a7ce82c7c073768
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in admin_addPeer API allows unauthenticated remote callers to invoke administrator-level functionality."
Attack vector
The JSON-RPC server binds to 0.0.0.0 by default, exposing the admin_addPeer API to any network-accessible host [ref_id=1]. An attacker sends a simple HTTP POST request with a JSON-RPC payload (method "admin_addPeer") to the target's port 8545; no session key, authentication header, or Content-Type enforcement is required [ref_id=1]. Because the server does not validate the Content-Type header, the API can also be triggered via CSRF or SSRF attacks even when the node is behind NAT [ref_id=1]. The lack of any privilege check in the function body (no RPC_ADMIN macro) means the request succeeds without verifying the caller's identity [ref_id=1].
Affected code
The vulnerable function is AdminNet::admin_addPeer in the cpp-ethereum JSON-RPC implementation (commit 4e1015743b95821849d001618a7ce82c7c073768) [ref_id=1]. At line 81-85, the function accepts a node string and calls m_network.addPeer without any prior privilege check — notably missing the RPC_ADMIN macro that other admin APIs use [ref_id=1].
What the fix does
The advisory does not include a patch diff, but it identifies the root cause: the admin_addPeer function (line 81-85) lacks the RPC_ADMIN privilege check that other admin APIs use [ref_id=1]. The comparable admin_net_connect API performs RPC_ADMIN at line 31 before calling admin_addPeer, confirming the intended security pattern [ref_id=1]. The fix would require adding an RPC_ADMIN macro (or equivalent authorization guard) at the beginning of admin_addPeer to enforce that only authenticated administrator sessions can call it [ref_id=1].
Preconditions
- configThe cpp-ethereum node must be started with the --admin-via-http flag (or equivalent) to enable the JSON-RPC admin interface
- networkThe attacker must have network access to the node's JSON-RPC port (default 8545), which by default binds to 0.0.0.0
- authNo authentication or session credentials are required — the API lacks any authorization check
Reproduction
Start the cpp-ethereum node with the admin interface enabled: `./eth -j --admin-via-http`. From an attacker host with network access to the node's IP (e.g. 192.168.217.155:8545), send: `curl -i -X POST --data '{"jsonrpc":"2.0","method":"admin_addPeer","params":[""],"id":1}' 192.168.217.155:8545`. The server responds with HTTP 200 and a JSON result containing peer information, confirming unauthenticated access to the admin API [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.securityfocus.com/bid/102475mitrevdb-entryx_refsource_BID
- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0464mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.