CVE-2018-6651
Description
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient Origin header validation in uncurl before 0.07 allows attackers to bypass WebSocket access restrictions, leading to full remote control of Parsec clients.
Vulnerability
The vulnerability resides in the uncurl_ws_accept function of the uncurl library before version 0.07, as used in Parsec before version 140-3. The function performs insufficient Origin header validation by accepting an arbitrary substring match, allowing an attacker to craft a WebSocket request from a malicious domain that passes the check [1].
Exploitation
To exploit the vulnerability, an attacker must lure a victim to a website hosted on a specially formatted domain name under the attacker's control. The victim's browser must be capable of executing JavaScript and making WebSocket connections. When the browser attempts to establish a WebSocket connection to the Parsec client, the insufficient Origin validation allows the attacker's crafted request to be accepted, bypassing intended access restrictions [1].
Impact
Successful exploitation grants the attacker full control over the Parsec client. On Windows systems, this translates to full control over the victim's computer, as Parsec is a remote desktop application. On other platforms (e.g., macOS, Linux), the attacker can still control the client and, through creative use of the API, achieve a similar degree of compromise. Additionally, the attacker can grant themselves further permissions (e.g., escalate from view-only to full access), forcefully disconnect active remote users, and retrieve sensitive information from the victim's device [1].
Mitigation
The vulnerability is patched in Parsec version 140-3 and uncurl version 0.07. Users should upgrade to these or later versions. No workarounds are available; upgrading is the only mitigation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <140-3
- Range: <0.07
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient Origin header validation in uncurl_ws_accept allows an arbitrary substring match instead of an exact match."
Attack vector
An attacker hosts a website with a specially formatted domain name and lures the victim to visit it. The victim's browser must run JavaScript and be capable of making WebSocket connections [ref_id=1]. The attacker's website sends a WebSocket request to the Parsec client; because the `uncurl_ws_accept` function only checks whether the Origin header contains an expected substring rather than matching the full origin, a crafted domain can pass validation [ref_id=1]. This allows the attacker to send arbitrary commands to the Parsec client, and on Windows systems this grants full control over the victim's computer [ref_id=1].
Affected code
The vulnerability resides in the `uncurl_ws_accept` function in `uncurl.c` in uncurl before version 0.07, which is used by Parsec. The function performs insufficient Origin header validation by accepting an arbitrary substring match rather than requiring an exact match.
What the fix does
The advisory states that the vulnerability was patched in uncurl 0.07 and Parsec version 140-3 [ref_id=1]. No patch diff is provided in the bundle, but the fix addresses the insufficient Origin header validation by ensuring that the Origin header is matched exactly rather than via an arbitrary substring check [ref_id=1]. Users should upgrade to Parsec 140-3 or later to close the vulnerability.
Preconditions
- inputVictim must visit an attacker-controlled website
- inputVictim's browser must run JavaScript and support WebSocket connections
- configParsec client must be running on the victim's machine
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7mitrex_refsource_MISC
- github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769mitrex_refsource_CONFIRM
- github.com/chrisd1100/uncurl/releases/tag/0.07mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.