ericc-ch copilot-api DNS Rebinding Vulnerability Allowing Token Theft

A DNS rebinding vulnerability has been identified in ericc-ch copilot-api versions through 0.7.0. The issue arises in the Header Handler component, specifically within the /token file. The vulnerability allows remote attackers to manipulate the Host header of incoming requests, bypassing the browser's same-origin policy. This manipulation can be exploited to access the copilot-api running on localhost:4141, stealing the Copilot Bearer token, which is then exfiltrated to an attacker-controlled server.

Impact

Exploitation of this vulnerability allows for unauthorized access to the GitHub Copilot API under the victim's identity, including access to chat completions and models. The stolen Copilot Bearer token can be used to exhaust the victim's request quota, causing financial harm, and AI requests made with the token are attributed to the victim's GitHub account.

Reproduction

To reproduce this vulnerability, first ensure that copilot-api v0.7.0 is running on localhost:4141. Then, register a domain with a DNS server that allows manipulation of DNS records. After the initial DNS lookup, the domain should be configured to resolve to 127.0.0.1. Once the DNS rebinding is successful, the browser will treat the request as same-origin, bypassing CORS restrictions. The copilot-api server will accept the request and respond with the token, which can be exfiltrated to an attacker-controlled server.

Remediation

To address this vulnerability, add middleware to validate the Host header of incoming requests, rejecting those with unexpected values. Replace the wildcard CORS policy with a restrictive origin policy that only allows known local origins. Bind the server to 127.0.0.1 to reduce network exposure, and add authentication to all routes to ensure that sensitive endpoints cannot be accessed without a valid API key.