Gradient Unauthenticated Worker Registration Vulnerability Allowing Arbitrary NAR Writes and Cache Poisoning

A vulnerability in Gradient, a nix-based continuous integration system, allows unauthenticated registration of workers in version 1.1.0. When the environment variable GRADIENT_DISCOVERABLE is set to true, the default setting, anyone who can access the /proto endpoint can register as a worker by sending a new, unregistered worker UUID. The registered worker session is granted open peer authentication, enabling access to jobs from all organizations. This exploitation allows the worker to push and upload arbitrary store paths into the nar_storage and cached_path tables, effectively poisoning the cache. This vulnerability has been patched in version 1.1.1.

Impact

Exploitation of this vulnerability allows an unauthenticated network attacker to register as a worker with full capabilities to fetch, evaluate, and build jobs, bypassing organizational filters. The attacker can access SSH credentials for private repositories of any organization, write arbitrary data to the nar_storage (local or S3) and manipulate the cached_path table with attacker-controlled information. Additionally, if a real job ID is used, the vulnerability can be exploited to create placeholders for cached_path signatures, which can then be used to sign unauthorized content, leading to a supply-chain remote code execution on downstream Nix clients, particularly for those using the public Gradient instance at gradient.wavelens.io.

Reproduction

To reproduce this vulnerability, connect to a Gradient server's /proto endpoint as an unregistered worker with a fresh UUID and no authentication tokens. The server should accept the connection in open mode, indicating a successful bypass of authentication. Once registered, push arbitrary NAR bytes to a store path and upload metadata that will be recorded in the cached_path table, all without any job ownership.

Remediation

The vulnerability has been fixed in Gradient version 1.1.1. Until the update can be applied, set the GRADIENT_DISCOVERABLE environment variable to false and restrict the /proto endpoint access to known worker IPs.