N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-xv8g-fj9h-6gmv

GHSA-xv8g-fj9h-6gmv: Linkdave Missing Authentication on REST and WebSocket endpoints

The linkdave server does not enforce authentication on its REST and WebSocket routes in versions prior to 0.1.5.

Impact

An attacker with network access to the server port can:

Connect to the WebSocket endpoint (/ws) and receive a valid session_id in the OpReady response.
Use that session to invoke all REST player controls on any guild corresponding to their session id[1].
Enumerate server statistics and runtime information via the unauthenticated /stats endpoint (still public after the fix).

[1] If on >=0.1.0, attackers are restricted to creating, controlling and deleting players created within their own session ID.

Vulnerable Routes

The following routes were entirely unauthenticated in >= 0.0.1, < 0.1.5:

| Method | Path | Description | |--------|------|-------------| | POST | /sessions/{session_id}/players/{guild_id}/play | Start audio playback | | POST | /sessions/{session_id}/players/{guild_id}/pause | Pause playback | | POST | /sessions/{session_id}/players/{guild_id}/resume | Resume playback | | POST | /sessions/{session_id}/players/{guild_id}/stop | Stop playback | | POST | /sessions/{session_id}/players/{guild_id}/seek | Seek to position | | PATCH | /sessions/{session_id}/players/{guild_id}/volume | Set volume | | DELETE | /sessions/{session_id}/players/{guild_id} | Disconnect from voice channel | | GET | /ws | WebSocket event stream |

Patches

Update to 0.1.5.

- image: ghcr.io/shi-gg/linkdave:0.1.4
+ image: ghcr.io/shi-gg/linkdave:latest

docker pull ghcr.io/shi-gg/linkdave:latest

After upgrading, set the LINKDAVE_PASSWORD environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on >= 0.1.5.

Server configuration (e.g. compose.yml):

environment:
    LINKDAVE_PASSWORD: ${LINKDAVE_PASSWORD}

echo "LINKDAVE_PASSWORD=$(openssl rand -hex 16)" >> .env

To restart the stack, run

docker compose up -d

TypeScript client (0.1.5+):

The client automatically handles authentication. Pass the password when constructing the client:

const linkdave = new LinkDaveClient({
    nodes: [
        {
            name: "main",
            url: process.env.LINKDAVE_URI,
            password: process.env.LINKDAVE_PASSWORD
        }
    ]
});

Workarounds

If upgrading is not immediately possible, restrict network access to the server's port using a firewall so it is only accessible from trusted internal IP addresses.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-xv8g-fj9h-6gmv

GHSA-xv8g-fj9h-6gmv:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/shi-gg/linkdave	go	< 0.1.5	0.1.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified two primary points of failure in the shi-gg/linkdave server, both related to missing authentication. The security advisory states that both REST and WebSocket endpoints are unprotected. The provided patch commit 0f9a00d9d549b16278db81fce6dfec350c2abc01 confirms this by adding authentication checks in two key locations.

WebSocket Endpoint: The function server.HandleWebSocket in server/server/websocket.go is the entry point for all WebSocket connections. The patch adds a password check from the URL query parameters. Before this change, the function would proceed to handle the connection without any form of authentication, making it a vulnerable function.
REST Endpoints: The function server.withSession in server/server/routes.go acts as a middleware for REST API routes. The anonymous function it returns, which serves as the HTTP handler, was modified to include an authentication check. It now validates a Bearer token from the Authorization header. Prior to this patch, any endpoint using this middleware was completely unprotected. In a Go runtime profile, this anonymous function would be identified as server.(*Server).withSession.func1.

The root cause of the vulnerability is the absence of authentication mechanisms on network-exposed endpoints that handle sensitive operations, allowing unauthenticated remote attackers to connect and potentially interact with the server.

Vulnerable functions

server.HandleWebSocket

server/server/websocket.go

The 'HandleWebSocket' function is responsible for handling incoming WebSocket connections. Prior to the patch, this function did not perform any authentication checks, allowing any remote attacker to establish a WebSocket connection without credentials. The patch introduces a password check, making the lack of it the vulnerability.

server.(*Server).withSession.func1

server/server/routes.go

The 'withSession' function is a middleware that wraps HTTP handlers for REST endpoints. The anonymous function returned by 'withSession' is the actual HTTP handler. Before the patch, this handler did not perform any authentication, exposing all REST routes that use this middleware. The patch adds a check for a Bearer token in the 'Authorization' header.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.