Cloudflare Agents SDK Insecure Direct Object Reference Vulnerability in Email Routing
Vulnerability
A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Cloudflare Agents SDK. This issue arises in the 'createHeaderBasedEmailResolver()' function, where the 'Message-ID' and 'References' headers are processed to determine the target agent name and agent ID without adequate validation or origin checks. As a result, an external attacker can manipulate these headers to redirect incoming mail to arbitrary Durable Object instances and namespaces.
Impact
Exploitation of this vulnerability allows an attacker to redirect incoming emails to any specified Agent instance by spoofing the Message-ID header, potentially leading to unauthorized access or manipulation of the email content.
Remediation
Users of the Cloudflare Agents SDK should upgrade to version 0.3.7. Additionally, the PR available in the Cloudflare Agents repository provides guidance on how to refactor the email resolver to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.