Keygraph Shannon Hard-Coded API Key Vulnerability in Router Component

A vulnerability exists in Keygraph Shannon due to a hard-coded API key in the router configuration. This key, which is publicly available, allows network attackers to authenticate and proxy requests through the Shannon instance using the victim's upstream provider API credentials. The issue arises when the router component is enabled and exposed, enabling unauthorized API usage and potential disclosure of proxied request and response data. The vulnerability affects Keygraph Shannon versions prior to the commit that introduced mitigation measures.

Impact

Exploitation of this vulnerability could lead to unauthorized API usage on behalf of the victim, with potential disclosure of sensitive data from proxied requests and responses.

Reproduction

The vulnerability can be reproduced by enabling the router component and exposing it to the network. Once the router is accessible, an attacker can use the hard-coded API key to authenticate and proxy requests through the Shannon instance, using the victim's upstream API credentials. This can be done by reaching the router port and sending requests that are proxied through the vulnerable instance.

Remediation

Users are advised to update to the latest version of Keygraph Shannon, where this vulnerability has been addressed by binding all ports to localhost, removing the hard-coded API key, and adding a path traversal guard to validate included file paths.