Miggo Logo
Miggo Vulnerability Database
CVE-2025-11287

CVE-2025-11287: MCPHub has an Improper Authorization vulnerability via its handleSseConnection function

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-11287
GHSA ID
GHSA-v7c4-33vf-cqqq
EPSS Score
0.1941%
CWE
CWE-287
Published
10/5/2025
Updated
10/9/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@samanhappy/mcphubnpm<= 0.9.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in an improper authentication mechanism within the mcphub application, specifically affecting the handling of Server-Sent Events (SSE) connections. The root cause is in the validateBearerAuth function located in src/services/sseService.ts. By default, the enableBearerAuth setting is false, causing validateBearerAuth to always return true, effectively disabling authentication for any endpoint that relies on it.

The primary vulnerable function is handleSseConnection, which is exposed via the route /:user/sse/:group. This function calls validateBearerAuth to secure the endpoint. Due to the flaw in validateBearerAuth, an unauthenticated remote attacker can make a request to this endpoint. The application's middleware extracts the user parameter from the URL and sets it as the current user's context. Since the authentication check is bypassed, the attacker can forge their identity to be any user, including an administrator, by simply crafting the URL (e.g., /admin/sse/somegroup). This gives them unauthorized access to the system with the privileges of the impersonated user.

Vulnerable functions

handleSseConnection
src/services/sseService.ts
This function is responsible for handling Server-Sent Events (SSE) connections. It uses the `validateBearerAuth` function to perform authentication. However, `validateBearerAuth` is flawed and can be bypassed, allowing an unauthenticated attacker to establish an SSE connection and impersonate any user by providing the username in the request URL. This leads to improper authorization.
validateBearerAuth
src/services/sseService.ts
This helper function is intended to validate bearer token authentication. However, it contains a critical flaw. If `enableBearerAuth` is set to `false` in the system configuration (which is the default), the function immediately returns `true`, indicating a successful authentication without performing any checks. This allows any request to bypass authentication when the default configuration is used.

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s i**nti*i** in s*m*n**ppy M*P*u* up to *.*.**. T*is vuln*r**ility *****ts t** *un*tion **n*l*Ss**onn**tion o* t** *il* sr*/s*rvi**s/ss*S*rvi**.ts. Su** m*nipul*tion l***s to improp*r *ut**nti**tion. T** *tt**k m*y ** l*un**** r*mot

Reasoning

T** vuln*r**ility li*s in *n improp*r *ut**nti**tion m****nism wit*in t** `m*p*u*` *ppli**tion, sp**i*i**lly *****tin* t** **n*lin* o* S*rv*r-S*nt *v*nts (SS*) *onn**tions. T** root **us* is in t** `v*li**t****r*r*ut*` *un*tion lo**t** in `sr*/s*rvi*