Relay Server Authentication Bypass Vulnerability in WebSocket Endpoints

An authentication bypass vulnerability has been identified in Relay Server versions 0.9.0 through 0.9.6. This issue occurs in the multi-document WebSocket endpoints, where connections lacking a token query parameter were mistakenly granted full server permissions. As a result, an unauthenticated network attacker who knows or guesses a document ID could access the document sync WebSocket, allowing them to read or modify document contents without a valid token. This vulnerability has been patched in version 0.9.7.

Impact

Exploitation of this vulnerability allows for unauthorized access to document sync WebSocket endpoints, enabling an attacker to read or modify document contents without a valid token. This bypasses the intended authentication mechanism and could lead to unauthorized changes or access to sensitive information within the documents.

Remediation

Users are advised to upgrade to Relay Server version 0.9.7 or later. If an immediate upgrade is not possible, operators can block unauthenticated WebSocket upgrade requests before they reach Relay by configuring a reverse proxy, gateway, firewall, or other edge control to reject requests to Relay's document WebSocket endpoints unless the request includes a non-empty token query parameter. This workaround only checks for token presence; invalid tokens should still be rejected by Relay.