Missing Authorization9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Missing Authorization via the rewrite process for the /codex path. An attacker can gain unauthorized access to backend LLM provider credentials and trigger upstream provider calls by sending crafted requests to /codex/* endpoints.
How to fix Missing Authorization? Upgrade 9router to version 0.5.2 or higher.
| |
User Impersonation9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to User Impersonation via manipulation of the Host header. An attacker can gain unauthorized access to the /v1 proxy and trigger server-side requests to internal or cloud-metadata hosts by spoofing the Host header to bypass authentication checks.
How to fix User Impersonation? Upgrade 9router to version 0.5.2 or higher.
| |
Improper Authentication9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Improper Authentication via the dashboardGuard.js process. An attacker can gain unauthorized access to sensitive API endpoints by sending requests through a same-host reverse proxy that forwards public traffic to the backend using 127.0.0.1, causing external requests to be misclassified as local and bypassing authentication checks. This may allow abuse of configured upstream provider credentials through proxy endpoints depending on enabled providers.
How to fix Improper Authentication? Upgrade 9router to version 0.5.2 or higher.
| |
Time-of-check Time-of-use (TOCTOU) Race Condition9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition through the image process in open-sse/translator/concerns/image.js. An attacker can access internal-only HTTP services by leveraging DNS rebinding with a vision-capable model and an attacker-controlled DNS name that initially resolves to a public IP and subsequently rebinds to an internal address. This is only exploitable if the attacker is authenticated and has access to the LLM proxy.
How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade 9router to version 0.5.2 or higher.
| |
Brute Force9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Brute Force in the authentication process. An attacker can gain unauthorized access to administrative functions by sending repeated login attempts with different values in the X-Forwarded-For header, thereby circumventing rate-limiting and lockout mechanisms.
How to fix Brute Force? Upgrade 9router to version 0.4.80 or higher.
| |
Incorrect Authorization9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Incorrect Authorization via the /api/settings/database endpoint, which allows exporting the entire database including plaintext API keys, OAuth tokens, and sensitive settings, as well as importing arbitrary data that can overwrite all existing records. An attacker can gain access to confidential information and completely replace the database contents by authenticating with any valid JWT or CLI token, which may be easily obtained due to weak default credentials or other weaknesses.
How to fix Incorrect Authorization? Upgrade 9router to version 0.4.80 or higher.
| |
Missing Authorization9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to Missing Authorization due to missing authentication checks on several API endpoints, including /api/providers, /api/usage/stats, /api/usage/request-logs, and /api/usage/request-details. An attacker can gain unauthorized access to sensitive information such as API keys, OAuth tokens, account IDs, email addresses, and full conversation histories, as well as perform unauthorized actions like creating, modifying, or deleting provider connections by sending crafted requests to these endpoints.
How to fix Missing Authorization? Upgrade 9router to version 0.5.15 or higher.
| |
User Impersonation9router is a 9Router CLI - Start and manage 9Router server
Affected versions of this package are vulnerable to User Impersonation via the isLocalRequest function. An attacker can gain unauthorized access to restricted routes and interact with child processes by spoofing the Host and Origin headers when the application is deployed behind a reverse proxy or tunnel, and by obtaining or predicting the deterministic CLI token derived from the machine ID. This is only exploitable if the application is deployed behind a proxy or tunnel and the attacker can obtain or guess the machine ID used for token generation.
How to fix User Impersonation? There is no fixed version for 9router.
| |