-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/schollz/croc/v9 | go | < 9.6.16 | 9.6.16 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from unencrypted transmission of local IP addresses during the 'ips?' message exchange. The patch introduced PAKE-based encryption (via crypt.Encrypt/crypt.Decrypt and pake.SessionKey) around these operations. The original code in Send() responded to ipRequest with plaintext JSON-marshaled IPs (bips), while Receive() sent the 'ips?' query in cleartext. Both functions lacked encryption at the protocol stage where sensitive IP data was exchanged, matching the CWE-311 description of missing sensitive data encryption.