This document copyright Checkmarx, all rights reserved. Here are some news items our team found interesting over the past week, which you might have missed. NPM module cipher-base (10M weekly downloads), part of the crypto-browserify JavaScript suite for performing cryptographic implementations in the browser, has a severe (CVSSv4 9.1) vulnerability that makes its hashing functions unsafe to use. Make sure you’re on 1.0.5 or newer if you use hashing for any kind of data verification or cryptographic operation. The popular mcp-cli tool, which allows easily running MCP Servers from various sources, has a command-injection flaw in version 1.13.0 (current as of this post). The flaw is rooted in the tool’s OAuth2 implementation, allowing an attacker to construct a malicious MCP service that performs OS-level command-injection on the user. This issue is fixed in the main branch, but the fix has not yet been tagged into a new release. The very popular cloud-code-router plugin for the Claude Code AI coding assistant could leak secrets such as private API keys for various AI services due to an improper CORS (Cross-Origin Resource Sharing) configuration in versions prior to 1.0.34. Leaking these credentials can lead to resource exahustion, increased cost, and potential leaks of sensitive data such as code, configuration information, and other prompt and response contents. Don’t miss Checkmarx Zero news! Subscribe to Updates Never Miss Checkmarx Zero Research Updates. Subscribe today! By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested. NPM package `cipher-base` through 1.0.4 has insecure hash implementations NPM module cipher-base (10M weekly downloads), part of the crypto-browserify JavaScript suite for performing cryptographic implementations in the browser, has a severe (CVSSv4 9.1) vulnerability that makes its hashing functions unsafe to use. Make sure you’re on 1.0.5 or newer if you use hashing for any kind of data verification or cryptographic operation. The main issue is a lack of input type checks before calling createHash, leading primarily to the ability to rewind the hash state. This allows an attacker to construct a payload that will pass hash-based verification checks, tricking the application into treating malicious data objects as matching a known-safe hash digest. When used for sensitive operations, this can have a profound impact on data integrity. The flaw also has several follow-on impacts, including DoS (Denial of Service) hash collisions, and potential for revealing cryptographic secrets in some implementations. If you’re using crypto-browserify, or if you’re using cipher-base through any other path, make sure you update your dependency tree to ensure cipher-base is at or newer than 1.0.5 OS Command Injection in MCP command-line tool The popular mcp-cli tool, which allows easily running MCP Servers from various sources, has a command-injection flaw in version 1.13.0 (current as of this post). The flaw is rooted in the tool’s OAuth2 implementation, allowing an attacker to construct a malicious MCP service that performs OS-level command-injection on the user. This issue is fixed in the main branch, but the fix has not yet been tagged into a new release. GitHub user superboy-zjc published a detailed decription of the vulnerability as well as a proof of concept. In it, the researcher explains that the tool fails to properly validate and sanitize OAuth authorization server addresses provided by the untrusted MCP Server to which it is connecting. Setting the authorization URL to something as simple as http://google.com/$(malicious_command_here) within the malicious MCP server is enough to cause the command-line tool to execute commands under the authority of the user running mcp-cli. Fortunately, the attack requires an adversary to compromize an existing MCP server or trick a developer into using an attacker-controlled MCP server via a custom URL, which lowers the risk of successful exploitation. However, given the relative novelty of MCP workflows and current excitement over AI in various workflows, it may be easier to trick a user into experimenting with an untrusted service. Organizations with strong network traffic controls may be able to significantly mitigate by using network filtering to allow-list trusted and approved MCP servers. Otherwise, endpoint protections should be strict about looking for potential malicious behavior from children of the mcp-cli process. Router plugin for Claude Code has a leak The very popular cloud-code-router plugin for the Claude Code AI coding assistant could leak secrets such as private API keys for various AI services due to an improper CORS (Cross-Origin Resource Sharing) configuration in versions prior to 1.0.34. Leaking these credentials can lead to resource exahustion, increased cost, and potential leaks of sensitive data such as code, configuration information, and other prompt and response contents. Details are sparse (and what’s available is in Chinese), but the root cause seems to be modifications to the CORS logic in the auth.ts and server.ts TypeScript files, which introduced several bugs including a failure to properly check access levels. The result is that origins that should be disallowed can be allowed, permitting malicious users to potentially inject content into Claude Code to exfiltrate data that the router has access to. Since the purpose of the router is to route different types of prompts to different providers and models, this can include prompt content as well as API keys for various services the router is configured to use. linkedin-app Share on LinkedIn Share on Bluesky Follow Checkmarx Zero: linkedin-app Tags: AI AI Security Application Security Vulnerabilities JavaScript LLM Open-Source Security Supply Chain Security
