Lumiverse Arbitrary OS-Level Code Execution Vulnerability via MCP Server Creation Endpoint

A vulnerability in the Lumiverse AI chat application, prior to version 0.9.7, allows authenticated users to execute arbitrary operating system-level code on the server. This issue arises because the MCP server creation endpoint validates the command field against an allowlist of binary names but fails to validate the args array before forwarding it to the child process. Binaries on the allowlist can be exploited using inline-code execution flags, such as '-e' for Node.js or Bun, and '-c' for Python 3 or Deno. The vulnerability is exploitable from any machine with network access to the server port, as the server binds to all interfaces and the host-header rebinding check can be easily bypassed.

Impact

Exploitation of this vulnerability leads to full operating system-level code execution as the user running the Lumiverse server process. This vulnerability is accessible to any authenticated user and, when combined with two other vulnerabilities, could allow for unauthenticated remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/mcp-servers' endpoint with a valid session token in the cookie. Include a command from the allowlist, such as 'node', and an args array that uses the inline-code execution flag to execute a payload, such as writing a file to the server. After creating the MCP server, send a POST request to the '/api/v1/mcp-servers/<returned id>/connect' endpoint to trigger the execution.

Remediation

Users should update to Lumiverse version 0.9.7 or later, where this vulnerability has been fixed.