Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present.
In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials.
Impact: unauthorized access to production data exposed through the Inspector/API on affected deployments.
Affected condition: a public deployment behind a reverse proxy or same-host tunnel that forwards traffic to the Node process over loopback.
Remediation implemented on the main branch: local-request detection now fails closed in production unless loopback trust is explicitly enabled, and forwarded public clients remain remote.
Patched release version is pending; this draft will be updated once the fix is released.
AnalysisAI
Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.
Technical ContextAI
Neotoma is an npm package (pkg:npm/neotoma) providing data exploration and inspection capabilities for Node.js applications. The vulnerability arises from a CWE-288 Authentication Bypass by Assuming a Trusted Path flaw in the REST authentication middleware introduced in version 0.6.0. The middleware performs local-request detection by checking if connections arrive over loopback interfaces (127.0.0.1/::1). In typical reverse-proxy architectures (nginx, Apache, Cloudflare Tunnel, etc.), the proxy terminates external connections and forwards requests to the backend Node process over localhost. Without inspecting X-Forwarded-For headers, the middleware cannot distinguish legitimate local development traffic from proxied public requests. When no Bearer token is present, affected versions grant these proxied requests the privileges of the local development user, bypassing authentication entirely and exposing the Inspector interface and associated API endpoints that would normally require credentials.
RemediationAI
Upgrade immediately to Neotoma version 0.11.1 or later, which implements production-safe local-request detection that validates X-Forwarded-For headers and fails closed when reverse-proxy traffic is detected. Install via npm: 'npm install -g neotoma@0.11.1' for CLI users or update package.json dependency to '"neotoma": "^0.11.1"' for embedded usage. Release notes and migration guidance are available at https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1. If immediate patching is not feasible, implement compensating controls: (1) Configure the reverse proxy to require authentication before forwarding to Neotoma backend, adding an authorization layer external to the application - trade-off is managing separate auth mechanism and potential UX friction; (2) Bind the Neotoma process to a non-loopback interface and configure firewall rules to restrict access to trusted IP ranges only - trade-off is increased network exposure and operational complexity; (3) Temporarily disable the Inspector interface in production if the vulnerability surface is not required for operational needs - trade-off is loss of production debugging capability. Note that setting NEOTOMA_TRUST_PROD_LOOPBACK=1 in patched versions re-enables loopback trust and should only be used in isolated environments where loopback traffic is guaranteed local.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33367
GHSA-5cvp-p7p4-mcx9