Description
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
Problem types
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-2h89-vcvx-5pvh
github.com/.../capgo/security/advisories/GHSA-2h89-vcvx-5pvh (GitHub Security Advisory (GHSA-2h89-vcvx-5pvh))
www.vulncheck.com/...ddlewarekey-via-x-limited-key-id-header (VulnCheck Advisory: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header)