Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.
Start learningUpgrade camofox-mcp to version 1.13.2 or higher.
camofox-mcp is an Anti-detection browser MCP server for AI agents — navigate, interact, and automate the web without getting blocked
Affected versions of this package are vulnerable to Missing Authentication for Critical Function through the /mcp handler in src/http.ts. An attacker can list and invoke browser-control tools by sending requests to the MCP endpoint without any inbound API key or authorization header. When HTTP mode is exposed beyond local loopback bind, the server accepts those requests and forwards the resulting tool calls to the backend browser service using the server-side CAMOFOX_API_KEY if configured. This allows an unauthenticated client to drive browser actions such as tab creation, navigation, and interactions with authenticated browser contexts, undermining the intended control plane for anyone who can reach /mcp.