Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable authenticated user (PR:L) chains a reliable Host-header bypass (AC:L) into host command execution, yielding full C/I/A impact with no user interaction.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
9Router is an AI router & token saver. Prior to 0.5.2, 9Router allows a remote authenticated attacker to achieve arbitrary code execution on the host operating system by combining a Host header bypass of localhost-only routes with unvalidated MCP plugin args passed to child_process.spawn(), allowing malicious custom plugins to execute commands through /api/mcp//sse. This issue is fixed in version 0.5.2.
AnalysisAI
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the host by chaining a Host-header spoof (to reach routes that are supposed to be localhost-only) with unsanitized MCP plugin arguments that flow into child_process.spawn() via the /api/mcp//sse endpoint. Rated CVSS 8.8 (CWE-78, OS command injection), it is fixed in 0.5.2; no public exploit or CISA KEV listing exists at time of analysis, though a vendor advisory and fix commit are published.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an authenticated low-privileged session to 9Router (CVSS PR:L), (2) the ability to define or influence a custom MCP plugin whose arguments reach child_process.spawn(), and (3) a deployment where 9Router sits behind a reverse proxy so that the loopback/localhost-only guard can be defeated with attacker-supplied forwarding/Host headers to reach the /api/mcp//sse route. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8 High) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full confidentiality/integrity/availability impact - consistent with host RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a low-privileged authenticated session to a proxy-fronted 9Router sends a request to /api/mcp//sse with a spoofed Host/forwarding header so the localhost-only guard treats it as loopback traffic. They then supply a malicious custom MCP plugin whose arguments embed shell metacharacters, which 9Router passes into child_process.spawn(), executing arbitrary commands on the host OS. … |
| Remediation | Vendor-released patch: upgrade to 9Router 0.5.2 (https://github.com/decolua/9router/releases/tag/v0.5.2), which corrects the loopback-trust logic - the fix commit da667836cc7584bea0edd893de1d590c9ea279dc stamps an x-9r-via-proxy header when x-forwarded-for or x-real-ip are present and makes dashboardGuard.js treat such proxied requests as non-local, closing the Host-header bypass. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your environment to identify all 9Router instances and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credential
Remote authorization bypass in decolua 9router up to version 0.3.47 allows unauthenticated network attackers to access t
Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote
Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read ev
Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable applicatio
Authorization-gate bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker reach protect
Authentication bypass in 9Router (decolua/9router) versions prior to 0.5.2 lets remote unauthenticated attackers reach p
Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: lo
Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-prox
Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redir
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JW
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44814