PT-2026-30400 · Npm · @Grackle-Ai/Powerline

Publicado

2026-03-25

·

Atualizado

2026-03-25

CVSS v4.0

6.3

Média

VetorAV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Impact

When --token is not provided and GRACKLE POWERLINE TOKEN is not set, the PowerLine gRPC server runs with zero authentication. A warning is logged ("NO AUTH (development only)") but nothing prevents deployment in this state. Any client that can reach the PowerLine port can spawn agent sessions, access credential tokens, and execute code.
The default binding is 127.0.0.1 (loopback only), which limits exposure to the local machine. However, if PowerLine is accidentally exposed on a network (e.g., in a container or via port forwarding), the impact is critical.
Affected code:
  • packages/powerline/src/index.ts:46 — token defaults to empty string
  • packages/powerline/src/index.ts:63-76 — auth interceptor is only added when token is truthy

Patches

0.70.1
Fix: Require an explicit --no-auth flag to run without authentication, rather than defaulting to no auth when the token is empty. Throw an error if starting without a token and without --no-auth.

Workarounds

Always provide --token or set GRACKLE POWERLINE TOKEN when starting PowerLine. The Grackle server does this automatically when managing PowerLine lifecycle.

Resources

  • CWE-306: Missing Authentication for Critical Function
  • File: packages/powerline/src/index.ts

Correção

Missing Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-306

Identificadores relacionados

GHSA-XQ7H-VWJP-5VRH

Produtos afetados

@Grackle-Ai/Powerline