PT-2026-50979 · Go · Github.Com/Tilt-Dev/Tilt
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-55883
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
The Tilt HUD WebSocket (
/ws/view) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state.Details
The upgrader accepts a connection when the
csrf query parameter matches a process-wide token (websocketCSRFToken). That token is served as text/plain by an unauthenticated handler (WebsocketToken, mounted at /api/websocket token), so any reachable caller can fetch it and connect to /ws/view?csrf=<token>. When the parameter does not match, the upgrader falls back to a same-origin check that returns true when the Origin header is absent, so a non-browser client that omits Origin is accepted anyway. The token has no per-session binding.Impact
An attacker who can reach the HUD listener can open the HUD WebSocket and receive the full view stream — session state, Tiltfile contents, resource statuses, and continued updates — defeating the intended anti-CSWSH protection.
Conditions for exploitation
- Affected version in
>= 0.24.0, <= 0.37.3. - HUD bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit
--host, unset TILT HOST). No complete workaround short of upgrading for non-loopback deployments.Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Tilt-Dev/Tilt