GHSA-2R2P-4CGF-HV7H
Vulnerability from github – Published: 2026-04-22 14:52 – Updated: 2026-04-22 14:52
VLAI
Summary
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
Details
Summary
The local HTTP server started by engram server (binding 127.0.0.1:7337 by default) was exposed to any browser origin with no authentication unless ENGRAM_API_TOKEN was explicitly set. Combined with Access-Control-Allow-Origin: * on every response and a body parser that did not require Content-Type: application/json, this allowed a malicious web page the developer visited to:
- Exfiltrate the local knowledge graph via
GET /queryandGET /stats(function names, file layout, recorded decisions/mistakes). - Inject persistent prompt-injection payloads via
POST /learn, which wrotemistake/decisionnodes that were later surfaced as system-reminders to the user's AI coding agent on every future session and file edit.
Severity: High — confidentiality + persistent indirect prompt injection against the user's coding agent.
Affected versions
engramx >= 1.0.0, < 2.0.2 — any version that shipped the HTTP server.
Patched in
engramx@2.0.2
Workarounds (if you cannot upgrade)
- Do not run
engram serverorengram ui. - If developers must, set
ENGRAM_API_TOKENto a long random value and terminate the server before browsing the web.
Remediation (applied in 2.0.2)
- Fail-closed auth on every non-public route — Bearer header or HttpOnly cookie, constant-time comparison, 256-bit auto-generated token at
~/.engram/http-server.token(0600). - Wildcard CORS removed entirely; default is no CORS headers. Opt-in allowlist via
ENGRAM_ALLOWED_ORIGINS. - Host + Origin validation — rejects DNS rebinding and Host spoofing.
Content-Type: application/jsonenforced on mutations — blocks the text/plain CSRF vector./ui?token=bootstrap withSec-Fetch-Sitegate — prevents cross-origin oracle probing.
Credit
Discovered and responsibly disclosed by @gabiudrescu in engram issue #7.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "engramx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-306",
"CWE-352",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T14:52:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe local HTTP server started by `engram server` (binding `127.0.0.1:7337` by default) was exposed to any browser origin with no authentication unless `ENGRAM_API_TOKEN` was explicitly set. Combined with `Access-Control-Allow-Origin: *` on every response and a body parser that did not require `Content-Type: application/json`, this allowed a malicious web page the developer visited to:\n\n1. **Exfiltrate** the local knowledge graph via `GET /query` and `GET /stats` (function names, file layout, recorded decisions/mistakes).\n2. **Inject persistent prompt-injection payloads** via `POST /learn`, which wrote `mistake`/`decision` nodes that were later surfaced as system-reminders to the user\u0027s AI coding agent on every future session and file edit.\n\nSeverity: **High** \u2014 confidentiality + persistent indirect prompt injection against the user\u0027s coding agent.\n\n### Affected versions\n\n`engramx` \u003e= 1.0.0, \u003c 2.0.2 \u2014 any version that shipped the HTTP server.\n\n### Patched in\n\n`engramx@2.0.2`\n\n### Workarounds (if you cannot upgrade)\n\n- Do **not** run `engram server` or `engram ui`.\n- If developers must, set `ENGRAM_API_TOKEN` to a long random value and terminate the server before browsing the web.\n\n### Remediation (applied in 2.0.2)\n\n1. Fail-closed auth on every non-public route \u2014 Bearer header or HttpOnly cookie, constant-time comparison, 256-bit auto-generated token at `~/.engram/http-server.token` (0600).\n2. Wildcard CORS removed entirely; default is no CORS headers. Opt-in allowlist via `ENGRAM_ALLOWED_ORIGINS`.\n3. Host + Origin validation \u2014 rejects DNS rebinding and Host spoofing.\n4. `Content-Type: application/json` enforced on mutations \u2014 blocks the text/plain CSRF vector.\n5. `/ui?token=` bootstrap with `Sec-Fetch-Site` gate \u2014 prevents cross-origin oracle probing.\n\n### Credit\n\nDiscovered and responsibly disclosed by @gabiudrescu in engram issue #7.",
"id": "GHSA-2r2p-4cgf-hv7h",
"modified": "2026-04-22T14:52:03Z",
"published": "2026-04-22T14:52:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NickCirv/engram/security/advisories/GHSA-2r2p-4cgf-hv7h"
},
{
"type": "WEB",
"url": "https://github.com/NickCirv/engram/issues/7"
},
{
"type": "PACKAGE",
"url": "https://github.com/NickCirv/engram"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…