Algernon Web Server Auto-Binds SSE Event Server to All Interfaces on Linux and macOS

A vulnerability in Algernon web server versions prior to 1.17.7 allows the Server-Sent Events (SSE) event server to bind to all network interfaces by default on Linux and macOS. This issue arises because the default host setting for non-Windows platforms is empty, causing the server to listen on every interface. As a result, a LAN peer can connect and access the file-change stream without any developer interaction. In contrast, the default behavior on Windows is to bind only to the loopback interface, providing a safer option.

Impact

This vulnerability leads to unauthorized access to the SSE event stream, disclosing filenames and edit timings of files being monitored, such as secret notes and environment variables, to any peer on the same local network.

Reproduction

To reproduce this vulnerability, run Algernon version 1.17.6 or earlier on a Linux or macOS system. The SSE event server will automatically bind to 0.0.0.0:5553, making it accessible from any device on the same local network. A simple curl command can then be used to connect to the SSE server and receive the file-change stream.

Remediation

Users can update to Algernon version 1.17.7 or later, where this vulnerability is fixed. Alternatively, the default event address can be manually set to 'localhost' to prevent external access.