OpenBMB XAgent API Key Logging Vulnerability in Function Handler
Vulnerability
A vulnerability exists in OpenBMB XAgent version 1.0.0 within the API Key Handler component. The issue arises in the FunctionHandler.handle_tool_call method, where third-party API keys are logged and returned without proper masking. This flaw allows sensitive information to be exposed through log files and WebSocket communications. The vulnerability can be exploited remotely by authenticated users.
Impact
Exploitation of this vulnerability leads to the unauthorized disclosure of plaintext API keys for various third-party services, including RapidAPI, SurveyMethods, and Amazon scraping tools. The vulnerability also bypasses an existing partial fix, creating a false sense of security.
Reproduction
To reproduce this vulnerability, deploy OpenBMB XAgent version 1.0.0 using Docker. After logging in with default credentials, create an interaction and submit a task that triggers the use of a RapidAPI tool requiring an API key. The unmasked API key will be sent back through the WebSocket channel or can be retrieved via a path traversal exploit that accesses the application's log files.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.