Skip to main content

Joro CVE-2026-53649

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-07-08 https://github.com/BishopFox/joro GHSA-xqhv-chqm-fhcc
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Browser-pivoted network reach with no auth (PR:N) but needs operator to visit a page (UI:R); pivot from browser to loopback API is a scope change (S:C), yielding full RCE impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 21:28 vuln.today
CVE Published
Jul 08, 2026 - 20:27 github-advisory
CRITICAL 9.6

DescriptionGitHub Advisory

Unauthenticated Cross-Origin Plugin Upload Leads to RCE (Joro ≤ v1.1.0)

Severity: Critical CVSS v3.1: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) Affected versions: Joro ≤ v1.1.0, proxy mode (default), Linux/macOS Reporter: cstover Date: 2026-05-27

---

Summary

Joro's default proxy mode (in versions <= 1.1.0) exposes a local API on 127.0.0.1:9090 that performs no authentication and applies a wildcard CORS policy. Because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript on any page the operator visits can reach privileged endpoints - including uploading a native plugin and triggering a restart - directly through the operator's browser, with no preflight or credentials. Since plugins execute on load, this yields unauthenticated remote code execution as the operator's user from a single page visit.

---

Root Cause

Three weaknesses combined into the exploit chain.

1. No authentication in proxy mode. internal/api/server.go applied AuthMiddleware only when listenerMode was true. In the default proxy mode every API endpoint - including plugin upload and system restart - accepted requests without any token, cookie, or credential.

2. Permissive CORS with an insufficient protection assumption. corsMiddleware set Access-Control-Allow-Origin: * unconditionally on all responses. SECURITY.md documented this as an intentional tradeoff on the basis that proxy mode binds to 127.0.0.1, which the document states "limits exposure to the local machine."

That assumption was incorrect. multipart/form-data is a CORS-safelisted Content-Type, so cross-origin JavaScript can POST files to the Joro API without triggering a preflight request - the browser allows it. Any web page the operator visited reached the localhost API through their browser without restriction. The localhost bind provided no protection against browser-mediated requests.

3. Plugin init() executed on plugin.Open() before symbol lookup. internal/plugins/loader.go called plugin.Open(), which ran the plugin's init() functions before any symbol lookup occurred. A plugin with no exports still executed its payload the moment Joro restarted.

---

Attack Chain

  1. The operator visits an attacker-controlled page in Firefox on their machine.
  2. JavaScript on the page fetches pwn.so from the attacker's server (same-origin, no CORS issue).
  3. JavaScript POSTs pwn.so to http://127.0.0.1:9090/api/v1/plugins/upload as multipart/form-data. Joro accepts it - no auth, no preflight.
  4. JavaScript POSTs to http://127.0.0.1:9090/api/v1/system/restart. Joro re-executes.
  5. On restart, plugin.Open("pwn.so") calls init(), which opens a goroutine and dials back to the attacker's listener.
  6. An interactive /bin/bash -i shell is obtained as the operator's user.

The plugin ABI matches without any access to the operator's machine. The same public v1.1.0 release tarball is downloaded and Joro's own --build-plugin feature is used, which reads runtime/debug.BuildInfo from the release binary and forwards every ABI-relevant flag. One .so works against every operator running that release.

---

Impact

Unauthenticated, remote, browser-mediated code execution as the operator's user. Because the exploit pivots through the operator's browser to the loopback-bound API, the network bind offers no protection, and a single ABI-matched plugin works against every operator running the affected release.

Fix

The chain is broken at multiple layers. Cross-origin browser access to the proxy-mode API is eliminated, the API is restricted to same-origin requests targeting a loopback host, and the UI/API is bound to loopback only.

1. Removed the wildcard CORS header and gated the proxy-mode API behind a same-origin guard

corsMiddleware (which set Access-Control-Allow-Origin: * on every response) was deleted, and proxy mode now wraps the API in originGuard instead. (internal/api/server.go, commit 5c0ca35)

diff
 var handler http.Handler = mux
 if s.listenerMode {
+     // Listener/teamserver: bearer-token auth.
      handler = team.AuthMiddleware(s.teamToken, handler)
+} else {
+     // Proxy mode: restrict the API to same-origin browser requests.
+     handler = originGuard(uiBind, handler)
 }
-handler = corsMiddleware(handler)
diff
-// corsMiddleware adds permissive CORS headers for dev usage.
-func corsMiddleware(next http.Handler) http.Handler {
-     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-             w.Header().Set("Access-Control-Allow-Origin", "*")
-             w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
-             w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Joro-Nickname")
-             if r.Method == http.MethodOptions {
-                     w.WriteHeader(http.StatusNoContent)
-                     return
-             }
-             next.ServeHTTP(w, r)
-     })
-}

2. Same-origin enforcement via Sec-Fetch-Site + Origin/Host

originGuard rejects state-changing requests (and the /ws upgrade) whose Sec-Fetch-Site indicates a cross-origin initiator or whose Origin host does not match the request Host. Non-browser local tooling (no browser headers) is still allowed. (internal/api/originguard.go, commit 5c0ca35)

go
func isMutating(method string) bool {
      switch method {
      case http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodPatch:
              return true
      default:
              return false
      }
}

func sameOrigin(r *http.Request) bool {
      switch r.Header.Get("Sec-Fetch-Site") {
      case "", "same-origin", "none":
              // Same-origin, a direct navigation, or a non-browser client.
      default: // "cross-site", "same-site"
              return false
      }
      if origin := r.Header.Get("Origin"); origin != "" {
              if origin == "null" {
                      return false // opaque/sandboxed cross-origin context
              }
              u, err := url.Parse(origin)
              if err != nil || !strings.EqualFold(reqHostname(u.Host), reqHostname(r.Host)) {
                      return false
              }
      }
      return true
}

3. Tightened the WebSocket origin check

The WebSocket upgrader previously accepted every origin (CheckOrigin: return true). It now rejects cross-origin handshakes while still permitting non-browser clients. (internal/api/ws.go, commit 5c0ca35)

diff
var upgrader = websocket.Upgrader{
-     CheckOrigin: func(r *http.Request) bool { return true },
+     CheckOrigin: func(r *http.Request) bool {
+             origin := r.Header.Get("Origin")
+             if origin == "" {
+                     return true
+             }
+             if origin == "null" {
+                     return false
+             }
+             u, err := url.Parse(origin)
+             if err != nil {
+                     return false
+             }
+             return strings.EqualFold(reqHostname(u.Host), reqHostname(r.Host))
+     },
 }

4. Bound the proxy-mode UI/API to loopback and removed the wildcard host exception

The same-origin check alone can be defeated by DNS rebinding under a wildcard bind, because a rebound host (e.g. attacker.com) carries consistent Origin/Host/Sec-Fetch-Site headers. Two coordinated changes close this: the proxy-mode UI/API now binds to 127.0.0.1 regardless of --bind (which governs only the proxy port), and hostAllowed no longer has a wildcard exception, so the host must be loopback or the exact bind address. (internal/api/server.go and internal/api/originguard.go, commit 871936f)

diff
+// In proxy mode the UI/API binds to loopback only: --bind governs the proxy
+// port, and remote collaboration is listener/teamserver mode (bearer-token auth).
+uiBind := s.cfg.BindAddr
+if !s.listenerMode {
+     uiBind = "127.0.0.1"
+}
+
 var handler http.Handler = mux
 ...
 s.srv = &http.Server{
-     Addr:              fmt.Sprintf("%s:%d", s.cfg.BindAddr, s.cfg.UIPort),
+     Addr:              fmt.Sprintf("%s:%d", uiBind, s.cfg.UIPort),
diff
 func hostAllowed(reqHost, bindAddr string) bool {
      h := reqHostname(reqHost)
      if h == "" {
              return false
      }
      switch h {
      case "localhost", "127.0.0.1", "::1":
              return true
      }
-     switch bindAddr {
-     case "", "0.0.0.0", "::":
-             return true
-     }
      return strings.EqualFold(h, reqHostname(bindAddr))
 }

AnalysisAI

Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure operator to malicious page
Delivery
Fetch pwn.so from attacker server
Exploit
Cross-origin POST plugin to 127.0.0.1:9090 upload
Execution
POST to /system/restart endpoint
Persist
init() runs on plugin.Open()
Impact
Reverse shell as operator user

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running Joro ≤ v1.1.0 in the default proxy mode (not listener/teamserver mode) on Linux or macOS, with the API listening on 127.0.0.1:9090, and requires the operator to visit an attacker-controlled web page in a browser on that same machine (UI:R) while Joro is running. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H = 9.6 Critical) is internally consistent with the described chain: network-reachable via the browser, low complexity, no privileges, but requiring user interaction (the operator must visit an attacker page), with a scope change (browser pivots to the loopback API) and full confidentiality/integrity/availability impact via code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator runs Joro in default proxy mode and, in the same browser session, visits an attacker-controlled page. JavaScript on that page fetches a prebuilt pwn.so from the attacker's server, POSTs it as multipart/form-data to http://127.0.0.1:9090/api/v1/plugins/upload (accepted with no auth or preflight), then POSTs to /api/v1/system/restart; on restart plugin.Open() runs the plugin's init(), which dials back to the attacker and yields an interactive /bin/bash -i shell as the operator. …
Remediation Upgrade to a Joro release that includes fix commits 5c0ca35 and 871936f, which together remediate the chain; consult GHSA-xqhv-chqm-fhcc (https://github.com/BishopFox/joro/security/advisories/GHSA-xqhv-chqm-fhcc) for the exact patched release version, as an explicit fixed version number is not stated in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Joro installations and versions; restrict operators from accessing untrusted websites or disable Joro if not mission-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Share

CVE-2026-53649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy