Skip to content

MagicMirror socket payload secret placeholder expansion can disclose SECRET_* environment variables

Moderate
KristjanESPERANTO published GHSA-q4gh-4ffp-5cg8 Jul 1, 2026

Package

npm magicmirror (npm)

Affected versions

confirmed at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8 (`magicmirror` version 2.36.0)

Patched versions

>= 2.37.0

Description

Summary

When hideConfigSecrets: true is enabled, MagicMirror redacts SECRET_* environment placeholders in the HTTP /config response, but the shared node-helper socket dispatcher expands **SECRET_NAME** placeholders in every inbound socket payload before passing it to module helpers. Any client that can connect to a loaded module namespace can send a placeholder such as **SECRET_API_KEY** and cause the server to substitute the real environment variable into the helper payload. Helpers that echo attacker-controlled payload fields, such as the default weather helper error path, can return the secret value to the socket client.

Details

The affected product is the npm package/application magicmirror at version 2.36.0, tested at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8 from https://github.com/MagicMirrorOrg/MagicMirror.git.

The secret-redaction feature is implemented during config loading:

  • js/utils.js:117-123 loads a config.env file next to the config file into process.env when present.
  • js/utils.js:130-151 creates both a full config and a redacted config.
  • js/utils.js:137-140 redacts environment variables whose names start with SECRET_ to **SECRET_NAME** in the redacted config when hideConfigSecrets: true is present.
  • js/server.js:112-125 returns either configObj.redactedConf or configObj.fullConf from /config depending on config.hideConfigSecrets.

The disclosure root cause is the inbound socket dispatcher:

  • js/node_helper.js:88-103 registers a catch-all handler for each module namespace.
  • js/node_helper.js:91-99 checks config?.hideConfigSecrets and, for every inbound object payload, runs replaceSecretPlaceholder(JSON.stringify(payload)) before invoking socketNotificationReceived(...).
  • js/server_functions.js:23-34 implements replaceSecretPlaceholder(...) by replacing **SECRET_* **-style placeholders with process.env[...], unless global.config.cors === "allowAll".

This reverses the redaction boundary: redacted placeholders intended for the browser can be sent back to the server and expanded into real environment secret values inside helper payloads.

A confirmed echo path exists in the default weather helper:

  • defaultmodules/weather/node_helper.js:12-19 accepts INIT_WEATHER from the socket.
  • defaultmodules/weather/node_helper.js:27-31 copies config.instanceId from the attacker-controlled payload.
  • defaultmodules/weather/node_helper.js:47-52 attempts to dynamically load the requested weather provider.
  • defaultmodules/weather/node_helper.js:86-91 catches errors and sends WEATHER_ERROR with the same instanceId back to the namespace.

False-positive screening performed:

  • This is not a generic environment leak through /env; js/server_functions.js:221-240 returns only selected client environment paths.
  • The HTTP /config route does redact placeholders when hideConfigSecrets: true; the issue is that the inbound socket path expands those placeholders again before module helper code runs.
  • replaceSecretPlaceholder(...) intentionally refuses substitution when global.config.cors === "allowAll" (js/server_functions.js:29-34); the positive PoC used cors: "disabled", which is the shipped default (js/defaults.js:14). A negative control with no substitution produced the placeholder unchanged.
  • The attacker must know or infer a SECRET_* variable name. If the attacker can read the redacted /config response, placeholder names may be disclosed even when values are hidden. The PoC uses a known SECRET_MM_AUDIT test variable.
  • Network reachability follows the Socket.IO exposure model. With the shipped default address: "localhost" and loopback ipWhitelist, remote network reachability is limited. In documented non-loopback deployments, this combines with the Socket.IO access-control gap described separately.

Affected-version evidence: only magicmirror@2.36.0 at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8 was tested. The affected range is unknown from this audit; earlier versions were not tested. No patched version or fix commit was identified locally.

PoC

The following safe local PoC was run from a clean checkout of MagicMirror at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8. Because node_modules were not installed in this audit environment and package.json:52 has a destructive postinstall, the command uses dependency stubs while executing the vulnerable repository dispatcher and weather helper code. It writes no files and does not contact external services.

Positive trigger:

node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g,(_m,g)=>process.env[g])}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"disabled"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'

Observed output:

[{"n":"WEATHER_ERROR","p":{"instanceId":"secret-marker-42","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]

Expected vulnerable output: the weather error payload returned by the helper contains "instanceId":"secret-marker-42", proving the server substituted the SECRET_MM_AUDIT environment variable into an attacker-controlled socket payload and returned it to the client.

Negative/control trigger simulating no inbound placeholder substitution:

node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"allowAll"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'

Observed control output:

[{"n":"WEATHER_ERROR","p":{"instanceId":"**SECRET_MM_AUDIT**","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]

Expected control output: the placeholder remains **SECRET_MM_AUDIT**, showing that the positive case depends on the vulnerable server-side placeholder expansion step.

Final repro re-check: both the positive and negative harnesses were re-run after drafting, and the observed outputs above are from this environment. No cleanup was required.

Impact

Any client that can connect to a module Socket.IO namespace can disclose SECRET_* environment variables by sending known placeholder names in object payloads that are expanded by js/node_helper.js before helper processing. This undermines the purpose of hideConfigSecrets: true: secrets are hidden in the HTTP config response but can be converted back into their real values through inbound socket payloads.

The confidentiality impact depends on what the deployment stores under SECRET_* variables. MagicMirror configurations commonly include API tokens, calendar credentials, service keys, or network allowlist values in config/environment variables. The PoC proves disclosure of a test secret through a default helper echo path.

CVSS 3.1 rationale: AV:A because MagicMirror is intended for trusted local/private networks and remote exploitation requires a reachable local/private-network deployment; AC:L because once namespace access is available the attacker only needs a known or guessed SECRET_* name and an invalid weather provider to trigger the echo; PR:N because no application authentication is required; UI:N because the attacker sends socket messages directly; S:U because the impact is disclosure of secrets from the vulnerable application's own process environment; C:H because environment secrets can include credentials/API tokens; I:N/A:N because this report proves disclosure only.

Suggested remediation

Do not expand SECRET_* placeholders in inbound socket payloads. The redaction boundary should be one-way: server-to-client responses may contain placeholders, but client-to-server messages must not be treated as authority to retrieve real environment values.

Concrete fixes:

  • Remove the replaceSecretPlaceholder(JSON.stringify(payload)) call from js/node_helper.js:91-99 for inbound socket payloads.
  • If a specific module legitimately needs secret material, resolve it only from server-loaded trusted configuration, not from client-supplied placeholders.
  • Keep hideConfigSecrets redaction for /config, but avoid disclosing placeholder names to clients when not necessary.
  • Add regression tests that set hideConfigSecrets: true and SECRET_TEST=value, send a socket payload containing **SECRET_TEST**, and assert that every helper receives/returns the literal placeholder rather than the secret value.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2026-63640

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Credits