Microsoft UFO WebSocket Session ID Reuse Vulnerability Allowing Stale Result Replay

A vulnerability in the Microsoft UFO framework versions 3.0.1-4-ge2626659 allows authenticated WebSocket clients to reuse session IDs provided by the client. The server accepts these session IDs in task messages and, if the session ID corresponds to an existing in-memory session object, it reuses that session without any ownership or client binding checks. This flaw enables the replay of stale task results to different authenticated clients, potentially disclosing workflow data, screenshots, and other device-derived task results. The issue arises because completed sessions remain in memory, and some session IDs can be easily predicted or derived from task identifiers.

Impact

Exploitation of this vulnerability allows for the authenticated cross-client replay of task results, with a high risk of disclosing sensitive session outputs to other requesters. This could lead to unauthorized access to workflow data and confusion over task ownership in multi-client environments.

Reproduction

To reproduce this vulnerability, authenticate as a WebSocket client and send a task request with a session ID that is known to be completed but still resides in the shared in-memory session store. The server will reuse the session ID, retrieve the stale results, and send them back through the normal task-end callback, effectively leaking the prior session's data.