ChatGPTNextWeb NextChat Improper Authorization Leading to Unauthenticated Remote Code Execution Vulnerability

A vulnerability allowing unauthenticated remote code execution has been identified in ChatGPTNextWeb NextChat versions through 2.16.1. The issue resides in the 'addMcpServer' function within 'app/mcp/actions.ts', where improper authorization allows remote exploitation. The vulnerability has been publicly disclosed and could be actively exploited.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the executed commands inheriting the full environment variables, including sensitive API keys and secrets. The vulnerability also enables unauthorized access to the file system, allowing for arbitrary file read and write operations. Additionally, the executed commands can be used to exfiltrate data, such as the contents of the '.env.local' file, which contains critical API keys and access codes. The vulnerability's impact is exacerbated by its persistence, as the maliciously added MCP server configuration survives application restarts and can be re-executed, potentially leading to a continuous backdoor on the server.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the application root with the 'Next-Action' header set to the action ID of the 'addMcpServer' function. The request body must include a JSON payload that specifies a command to be executed, along with any arguments. Once the request is processed, the specified command will be executed on the server, confirming the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, it is recommended to add authentication and authorization checks to the 'addMcpServer' function, ensuring that only authorized users can invoke it. Additionally, the 'isMcpEnabled' function should be called as a guard to verify that the MCP feature is enabled before processing any MCP-related actions. Implementing a command allowlist to restrict executable commands to a predefined set of safe options can also help mitigate the risk. Finally, consider moving MCP management to a dedicated API route with proper authentication and input validation.