Coder AgentAPI Client-Side DNS Rebinding Vulnerability Allowing Unauthorized Data Exfiltration

A client-side DNS rebinding vulnerability has been identified in Coder's AgentAPI, an HTTP API for various AI coding agents. This vulnerability affects versions prior to 0.4.0 and occurs when the API is hosted over plain HTTP on localhost. The flaw allows attackers to manipulate the victim's browser into interacting with the vulnerable API, specifically the /messages endpoint, which can lead to unauthorized access and exfiltration of sensitive user data, including secret keys, local file system contents, and intellectual property. The vulnerability is easily exploitable within seconds of connecting to a malicious server.

Impact

Exploitation of this vulnerability allows for full GET access to the /messages endpoint, enabling the unauthorized exfiltration of local message history, which can include sensitive information such as secret keys and file system contents.

Reproduction

The vulnerability can be reproduced by hosting the AgentAPI on localhost with a version prior to 0.4.0. Once the API is running, a DNS rebinding attack can be executed by directing the victim's browser to a malicious website that exploits the DNS rebinding vulnerability. This can be done using a tool like NCCGroup's Singularity, which automates the DNS rebinding process. After the DNS rebinding is successful, the malicious website can access the victim's chat history from the AgentAPI via the /messages endpoint.

Remediation

Users are advised to update to AgentAPI version 0.4.0 or later, which includes a validation middleware for the Origin and Host headers, and sets a secure default configuration. Instructions for updating can be found in the release notes on the AgentAPI GitHub repository.