Joro Proxy Mode: Unauthenticated API + Wildcard CORS Enables Cross-Origin RCE
Joro ≤v1.1.0 in default proxy mode exposes an unauthenticated API with wildcard CORS, allowing malicious cross-origin JavaScript to upload and execute arbitrary native plugins. A single page visit triggers code execution as the operator's user.
CVE References
Affected
Vulnerability Description
This vulnerability chains three security misconfigurations in Joro's proxy mode (the default deployment):
-
Missing Authentication Layer: The internal API server (
internal/api/server.go) only applies authentication middleware when running in listener mode, leaving all endpoints—including plugin upload and system restart—accessible without credentials in proxy mode. -
Overpermissive CORS Policy: The
corsMiddlewareunconditionally setsAccess-Control-Allow-Origin: *on all responses, contrary to the assumption documented inSECURITY.mdthat localhost-only binding provides sufficient isolation. -
Plugin Auto-Execution: Uploaded plugins execute automatically on load, creating a direct pathway from upload to code execution.
The combined effect is unauthenticated remote code execution reachable from any malicious webpage the operator visits, exploiting the browser's same-origin policy enforcement (not applicable to localhost) and use of CORS-safelisted multipart/form-data to bypass preflight checks.
Proof-of-Concept Significance
This PoC demonstrates a critical trust boundary violation: the localhost API was designed with an implicit security model (local binding = safe) that is violated by wildcard CORS. The attack requires only that a victim operator visit a malicious webpage while Joro is running—no social engineering, credential compromise, or network access is required. The reliability is high: the attack exploits fundamental HTTP semantics and browser behavior. Preconditions are minimal: Joro must be running in proxy mode (default) on v1.1.0 or earlier, and the operator's browser must execute JavaScript from the attacker's domain.
Detection Guidance
Log Indicators:
- HTTP POST requests to
/api/plugins/uploador/api/system/restartwithoutAuthorizationheaders - Requests with
Originheader not matching127.0.0.1orlocalhost Access-Control-Allow-Origin: *in API responses to cross-origin requests- Unexpected plugin files appearing in the plugin directory with recent timestamps
Network Signatures:
- Outbound HTTP requests from browser processes to
127.0.0.1:9090/api/plugins/uploadcontaining binary or obfuscated payloads - Correlation of webpage visits with subsequent plugin installation and process behavior changes
System Monitoring:
- New executable files created in Joro's plugin directory immediately after API calls
- Process spawning or capability elevation following plugin load events
- Joro process restarts triggered by API calls without user interaction
Mitigation Steps
Immediate Actions:
- Upgrade Joro to v1.1.1 or later (patch release addressing authentication and CORS)
- Restrict CORS scope: If running affected versions in constrained environments, manually patch
corsMiddlewareto setAccess-Control-Allow-Origin: http://127.0.0.1:9090(same-origin only) - Enable authentication in proxy mode: Apply
AuthMiddlewareto all API endpoints regardless of listener mode - Implement network isolation: Firewall
127.0.0.1:9090to prevent browser access; use system-level IPC or Unix sockets instead
Hardening:
- Disable plugin auto-execution; require manual approval or signed plugin verification
- Run Joro in a dedicated user account with minimal privileges
- Use Content Security Policy (CSP) headers in any web interfaces to prevent malicious script injection
- Monitor and audit plugin sources; implement plugin signing
Risk Assessment
Exploitation Likelihood: High in the wild. The attack surface is enormous—any webpage visit triggers potential exploitation. The technical barrier is low; exploitation can be automated and scaled. Threat actors with web presence (malware distribution sites, compromised legitimate sites, ad networks) would find this valuable.
Threat Actor Interest: Very high. This is a browser-to-RCE chain affecting systems administrators and developers who run proxy tools. Targeted campaigns against DevOps/security professionals are well-documented. The impact (code execution as the operator's user) enables lateral movement, data exfiltration, and supply chain attacks.
Prioritization: Organizations running Joro in proxy mode should treat this as an immediate emergency patch requiring deployment within 24–48 hours.
Sources