VYPR
← All advisories
Medium severity5.9NVD Advisory· Published Jun 1, 2026

CVE-2026-43625

CVE-2026-43625

Description

CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.

Affected products

1

Patches

1
cdd7e347c1cf

fix: require HTTPS for provider redirect cookies

https://github.com/steipete/CodexBarHinotobiMay 30, 2026via nvd-ref
commitPR #1226
4 files changed · +25 1
  • Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift+6 1 modified
    @@ -371,13 +371,18 @@ public struct AmpUsageFetcher: Sendable {
     }
 
     static func shouldAttachCookie(to url: URL?) -> Bool {
+        guard url?.scheme?.lowercased() == "https" else { return false }
+        return self.isAmpHost(url)
+    }
+
+    private static func isAmpHost(_ url: URL?) -> Bool {
         guard let host = url?.host?.lowercased() else { return false }
         if host == "ampcode.com" || host == "www.ampcode.com" { return true }
         return host.hasSuffix(".ampcode.com")
     }
 
     static func isLoginRedirect(_ url: URL) -> Bool {
-        guard self.shouldAttachCookie(to: url) else { return false }
+        guard self.isAmpHost(url) else { return false }
 
         let path = url.path.lowercased()
         let components = path.split(separator: "/").map(String.init)
  • Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift+1 0 modified
    @@ -620,6 +620,7 @@ public struct OllamaUsageFetcher: Sendable {
     }
 
     static func shouldAttachCookie(to url: URL?) -> Bool {
+        guard url?.scheme?.lowercased() == "https" else { return false }
         guard let host = url?.host?.lowercased() else { return false }
         if host == "ollama.com" || host == "www.ollama.com" { return true }
         return host.hasSuffix(".ollama.com")
  • Tests/CodexBarTests/AmpUsageFetcherTests.swift+11 0 modified
    @@ -17,11 +17,22 @@ struct AmpUsageFetcherTests {
         #expect(!AmpUsageFetcher.shouldAttachCookie(to: nil))
     }
 
+    @Test
+    func `rejects non https amp urls`() {
+        #expect(!AmpUsageFetcher.shouldAttachCookie(to: URL(string: "http://ampcode.com/settings")))
+        #expect(!AmpUsageFetcher.shouldAttachCookie(to: URL(string: "http://www.ampcode.com")))
+        #expect(!AmpUsageFetcher.shouldAttachCookie(to: URL(string: "http://app.ampcode.com/path")))
+    }
+
     @Test
     func `detects login redirects`() throws {
         let signIn = try #require(URL(string: "https://ampcode.com/auth/sign-in?returnTo=%2Fsettings"))
         #expect(AmpUsageFetcher.isLoginRedirect(signIn))
 
+        let downgradedSignIn = try #require(URL(string: "http://ampcode.com/auth/sign-in?returnTo=%2Fsettings"))
+        #expect(AmpUsageFetcher.isLoginRedirect(downgradedSignIn))
+        #expect(!AmpUsageFetcher.shouldAttachCookie(to: downgradedSignIn))
+
         let sso = try #require(URL(string: "https://ampcode.com/auth/sso?returnTo=%2Fsettings"))
         #expect(AmpUsageFetcher.isLoginRedirect(sso))
  • Tests/CodexBarTests/OllamaUsageFetcherTests.swift+7 0 modified
    @@ -17,6 +17,13 @@ struct OllamaUsageFetcherTests {
         #expect(!OllamaUsageFetcher.shouldAttachCookie(to: nil))
     }
 
+    @Test
+    func `rejects non https ollama urls`() {
+        #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "http://ollama.com/settings")))
+        #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "http://www.ollama.com")))
+        #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "http://app.ollama.com/path")))
+    }
+
     @Test
     func `manual mode without valid header throws no session cookie`() {
         do {

Vulnerability mechanics

Root cause

"Improper redirect handling allows session cookies to be sent over cleartext HTTP."

Attack vector

Network attackers can intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. An attacker can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain [ref_id=1]. This vulnerability is exploitable by network attackers with no authentication or user interaction required.

Affected code

The vulnerability exists in the `shouldAttachCookie` function within the `AmpUsageFetcher` and `OllamaUsageFetcher` structs. Specifically, the logic for determining whether to attach a cookie to a URL was not sufficiently restrictive regarding the URL's scheme.

What the fix does

The patch enforces that session cookies are only attached to URLs with an HTTPS scheme for both Amp and Ollama providers. This is achieved by adding a check `url?.scheme?.lowercased() == "https"` within the `shouldAttachCookie` function for both providers [patch_id=4383040]. By requiring HTTPS, the vulnerability is mitigated as session cookies will no longer be transmitted over unencrypted HTTP connections, preventing network attackers from intercepting them.

Preconditions

  • networkAttacker must be on the network path to intercept traffic.
  • inputThe target must visit a provider-controlled redirect target that issues a redirect to a cleartext HTTP endpoint within the same provider domain.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.