CVE-2024-49379

Vulnerability

Overview The login functionality in Umbrel versions prior to 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in the use-auth.tsx component [1]. The getRedirectPath() function reads the redirect query parameter from the URL without sanitization and passes it directly to window.location.href [1]. This allows an attacker to supply a javascript: URL as the redirect value, which executes arbitrary JavaScript in the context of the victim's session after they successfully log in [1].

Exploitation

Details An attacker can craft a malicious link, such as http://umbrel.local/login?redirect=javascript:alert(window.localStorage.getItem('jwt')), and trick a victim into clicking it [1]. When the victim enters their credentials and submits the login form, the attacker's script runs, potentially stealing the JWT token or performing other actions [1]. The vulnerability does not require authentication on the attacker's part, but relies on social engineering to get the victim to click the link and log in.

Impact and

Potential for RCE The immediate impact is the ability to execute arbitrary JavaScript in the victim's browser, which can lead to session hijacking, data theft, or further attacks [1]. Importantly, researchers demonstrated that this XSS can be escalated to remote code execution (RCE) by leveraging the WebSocket terminal functionality within Umbrel [1]. The attacker's JavaScript can open a WebSocket connection to the internal terminal and execute commands on the server, achieving full server compromise [1].

Mitigation

The vulnerability is fixed in Umbrel version 1.2.2 [2]. The fix includes adding Content Security Policy (CSP) headers and other security hardening via the Helmet middleware, which blocks execution of inline scripts and mitigates XSS [3]. All users are strongly advised to update to the latest version.