GHSA-QP7J-X725-G67F

Vulnerability from github – Published: 2025-08-19 15:34 – Updated: 2025-08-29 20:37
VLAI
Summary
HydrAIDE Authentication Bypass Vulnerability
Details

Summary

There is no authentication of any kind.

Details

TLS is implemented, the tunnel between the client and server is secure, however once data is on the server, it's free to be read by any adversaries.

On the client side : https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L221 It should be using a TLS Config with RootCAs and Certificates, currently RootCAs only (under NewClientTLSFromFile)

And on the server side, there should be ClientCAs and ClientAuth filled.

PoC

To bypass as is, the simplest way is to take the client and modify the code as such :

Modified from https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L209

            // hostOnly := strings.Split(server.Host, ":")[0]
            // creds, certErr := credentials.NewClientTLSFromFile(server.CertFilePath, hostOnly)
            // if certErr != nil {
            //  slog.Error("error while loading TLS credentials: ", "error", certErr, "server", server.Host, "fromIsland", server.FromIsland, "toIsland", server.ToIsland)
            //  errorMessages = append(errorMessages, certErr)
            // }
            var opts []grpc.DialOption
            tlsConfig := &tls.Config{
                InsecureSkipVerify: true,
            }
            creds := credentials.NewTLS(tlsConfig)
            opts = append(opts, grpc.WithTransportCredentials(creds))

Impact

It impacts everyone who think there is any kind of authentication.


Resolution

This vulnerability has been fully fixed in server/v2.2.1 together with hydraidectl/v0.2.1.

All users are strongly advised to upgrade:

  1. Update to hydraidectl v0.2.1
  2. Re-initialize server instances with hydraidectl init into a new folder. This generates the required certificate files, downloads the latest binaries, and sets up the necessary environment variables.

For migration help, join the community Discord: https://discord.gg/xE2YSkzFRm or open a GitHub Discussion. If anything does not work, please report it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hydraide/hydraide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.1"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hydraide/hydraide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250816184905-1256db38c33c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-19T15:34:48Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThere is no authentication of any kind.\n\n\n### Details\nTLS is implemented, the tunnel between the client and server is secure, however once data is on the server, it\u0027s free to be read by any adversaries.\n\nOn the client side : https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L221\nIt should be using a TLS Config with RootCAs and Certificates, currently RootCAs only (under NewClientTLSFromFile)\n\nAnd on the server side, there should be ClientCAs and ClientAuth filled.\n\n### PoC\nTo bypass as is, the simplest way is to take the client and modify the code as such : \n\nModified from https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L209\n```go\n\t\t\t// hostOnly := strings.Split(server.Host, \":\")[0]\n\t\t\t// creds, certErr := credentials.NewClientTLSFromFile(server.CertFilePath, hostOnly)\n\t\t\t// if certErr != nil {\n\t\t\t// \tslog.Error(\"error while loading TLS credentials: \", \"error\", certErr, \"server\", server.Host, \"fromIsland\", server.FromIsland, \"toIsland\", server.ToIsland)\n\t\t\t// \terrorMessages = append(errorMessages, certErr)\n\t\t\t// }\n\t\t\tvar opts []grpc.DialOption\n\t\t\ttlsConfig := \u0026tls.Config{\n\t\t\t\tInsecureSkipVerify: true,\n\t\t\t}\n\t\t\tcreds := credentials.NewTLS(tlsConfig)\n\t\t\topts = append(opts, grpc.WithTransportCredentials(creds))\n```\n\n### Impact\nIt impacts everyone who think there is any kind of authentication.\n\n---\n\n## Resolution\n\nThis vulnerability has been fully fixed in server/v2.2.1 together with hydraidectl/v0.2.1.\n\nAll users are strongly advised to upgrade:\n\n1. Update to hydraidectl v0.2.1\n2. Re-initialize server instances with hydraidectl init into a new folder. This generates the required certificate files, downloads the latest binaries, and sets up the necessary environment variables.\n\nFor migration help, join the community Discord: https://discord.gg/xE2YSkzFRm or open a GitHub Discussion.\nIf anything does not work, please report it.",
  "id": "GHSA-qp7j-x725-g67f",
  "modified": "2025-08-29T20:37:10Z",
  "published": "2025-08-19T15:34:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hydraide/hydraide/security/advisories/GHSA-qp7j-x725-g67f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydraide/hydraide/commit/b252554a811400a81951dc9f959b99077f187975#diff-63efbc8179fff403eb5cc642407b33c0fb21aea2c84baaf5e5223f76f5d75f55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hydraide/hydraide"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3895"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HydrAIDE Authentication Bypass Vulnerability"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…