ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Vulnerability

Description

The ha-mcp OAuth consent form prior to version 7.0.0 uses Python f-strings to render user-controlled parameters without HTML escaping, leading to a cross-site scripting (XSS) vulnerability [1][3]. Specifically, the consent_form.py file builds HTML via f-strings but never calls html.escape() [3]. Parameters such as client_name, client_id, redirect_uri, and state are rendered unescaped in HTML element or attribute contexts, allowing injection of arbitrary HTML and JavaScript [3].

Exploitation

An attacker who can reach the ha-mcp OAuth endpoint can register a malicious client via the Dynamic Client Registration (DCR) endpoint (/register), which accepts client_name without sanitization [3]. The attacker then convinces the server operator to follow a crafted authorization URL for that client. If the operator visits the URL, the malicious JavaScript executes in their browser [2][3]. The attack affects only users running the beta OAuth mode (ha-mcp-oauth), which requires explicit configuration and is not part of the standard setup [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the server operator's browser session, potentially leading to session hijacking, data theft, or further actions within the Home Assistant environment [3]. The vulnerability does not affect the default stdio mode [3].

Mitigation

The vulnerability is fixed in ha-mcp version 7.0.0 [1][2][3]. Users running the beta OAuth mode should upgrade immediately. No workarounds are available for affected versions [3].