Neotoma Auth Bypass Vulnerability in Reverse Proxy Loopback Traffic

An authentication bypass vulnerability has been identified in Neotoma versions 0.6.0 prior to 0.11.1. The issue arises when public reverse-proxied requests are received over a loopback socket without a Bearer token, leading the application to mistakenly treat these requests as local. This allows unauthenticated access to the hosted Inspector and related API, as the REST authentication middleware can incorrectly resolve such requests as coming from the local development user.

Impact

Exploitation of this vulnerability allows unauthorized access to production data through the Inspector/API on affected deployments.

Remediation

Users can upgrade to Neotoma version 0.11.1 or later to address this vulnerability. For deployments behind a trusted auth layer or reverse proxy, the loopback trust can be re-enabled with the 'NEOTOMA_TRUST_PROD_LOOPBACK=1' environment variable, after ensuring that only trusted local hops reach the Node process.