Skill Scanner Unauthenticated API Vulnerability Allowing Denial-of-Service and Arbitrary File Upload

A vulnerability exists in the API Server of Skill Scanner, a security scanner for AI Agent Skills, in versions through 1.0.1. The issue allows an unauthenticated, remote attacker to interact with the server API, potentially leading to a denial-of-service condition or the upload of arbitrary files. This vulnerability arises from an incorrect binding to multiple interfaces, allowing excessive resource consumption or unauthorized file uploads to various folders on the affected device. The API Server is not enabled by default, but when activated, this vulnerability can be exploited by sending API requests to the exposed server.

Impact

Exploitation of this vulnerability could cause a denial-of-service condition by overwhelming the server's resources, particularly memory, or allow for unauthorized file uploads to arbitrary locations on the affected device.

Reproduction

The vulnerability can be reproduced by starting the Skill Scanner API Server and binding it to an interface exposed to the network. Once the server is running, API requests can be sent to exploit the vulnerability. This can be done using a script or a tool that sends HTTP requests to the server's API endpoints, taking advantage of the exposed interfaces to cause a denial-of-service condition or upload files.

Remediation

Users can upgrade to Skill Scanner version 1.0.2 or later, which addresses this vulnerability by defaulting the API Server binding to localhost and restricting access to the same.