Italypaleale

**Name of the Vulnerable Software and Affected Versions** Dapr versions prior to 1.10.9 Dapr versions prior to 1.11.2 **Description** A vulnerability has been found in Dapr that allows bypassing API token authentication with a well-crafted HTTP request. This issue impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The vulnerability is related to the allowlisting of healthcheck endpoints, which permitted all requests whose URL contains `/healthz` to bypass the API token authentication check. **Recommendations** For Dapr versions prior to 1.10.9, upgrade to version 1.10.9 or later. For Dapr versions prior to 1.11.2, upgrade to version 1.11.2 or later. As a temporary workaround, consider restricting access to the `/v1.0/healthz` and `/v1.0/healthz/outbound` HTTP APIs to minimize the risk of exploitation. Avoid using URLs that contain `/healthz` in the query string until the issue is resolved.