Cleanuparr Reflective CORS Vulnerability Allowing Cross-Origin API Key Exfiltration

A vulnerability in Cleanuparr, a tool for managing unwanted files in Sonarr and Radarr, prior to version 2.9.10, allows for cross-origin reading of authenticated API responses. This issue arises from a global CORS policy that reflects every request origin and combines it with credentials allowance. When 'DisableAuthForLocalAddresses' is enabled, the API authenticates requests based solely on source IP via 'TrustedNetworkAuthenticationHandler'. This combination enables any website visited by an admin, or any user on a trusted IP, to access sensitive API information, including the admin's permanent API key.

Impact

Exploitation of this vulnerability leads to a persistent administrative takeover, allowing an attacker to use the stolen API key to access Cleanuparr from any location.

Reproduction

To reproduce this vulnerability, an admin must have 'DisableAuthForLocalAddresses' enabled and visit an attacker-controlled page while on a trusted network. The page can then exfiltrate the admin's API key by sending a request to the Cleanuparr API, which will respond with the key due to the reflective CORS policy.

Remediation

Users are advised to update to Cleanuparr version 2.9.10 or later.