PT-2026-50979 · Go · Github.Com/Tilt-Dev/Tilt
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-55883
CVSS v4.0
8.3
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
The Tilt HUD WebSocket (
/ws/view) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state.Details
The upgrader accepts a connection when the
csrf query parameter matches a process-wide token (websocketCSRFToken). That token is served as text/plain by an unauthenticated handler (WebsocketToken, mounted at /api/websocket token), so any reachable caller can fetch it and connect to /ws/view?csrf=<token>. When the parameter does not match, the upgrader falls back to a same-origin check that returns true when the Origin header is absent, so a non-browser client that omits Origin is accepted anyway. The token has no per-session binding.Impact
An attacker who can reach the HUD listener can open the HUD WebSocket and receive the full view stream — session state, Tiltfile contents, resource statuses, and continued updates — defeating the intended anti-CSWSH protection.
Conditions for exploitation
- Affected version in
>= 0.24.0, <= 0.37.3. - HUD bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit
--host, unset TILT HOST). No complete workaround short of upgrading for non-loopback deployments.Correção
Insufficient Verification of Data Authenticity
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Tilt-Dev/Tilt