PubNet Authentication Bypass Vulnerability Allowing Unauthenticated Package Upload and Identity Spoofing

A critical authentication bypass vulnerability has been identified in PubNet, a self-hosted Dart and Flutter package service, prior to version 1.1.3. The vulnerability exists in the '/api/storage/upload' endpoint, which allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This flaw enables identity spoofing, privilege escalation, and supply chain attacks. The issue arises because the endpoint lacks proper authentication checks and trusts client-supplied author-id parameters, only verifying that the author exists in the database without confirming the requester's authorization to act as that author.

Impact

Exploitation of this vulnerability could lead to identity spoofing, allowing users to upload packages as any registered user, including administrators. This could also result in privilege escalation by gaining administrative capabilities without authentication, bypassing all authorization controls, and having full control over the package repository. Additionally, the vulnerability could be used to inject malicious code into packages under trusted identities, compromising downstream systems that consume those packages, and potentially executing arbitrary code on developer machines and CI/CD systems.

Reproduction

The vulnerability can be reproduced by creating a valid Dart package and sending a POST request to the '/api/storage/upload' endpoint. The request must include the package file and an author-id that corresponds to a registered user, such as an administrator. The absence of authentication checks allows the package to be uploaded successfully, impersonating the user associated with the provided author-id.

Remediation

Users are advised to update to PubNet version 1.1.3 or later, where this vulnerability has been patched. It is also recommended to add authentication to all sensitive endpoints.