Security: Cross-instance auth bypass via query parameter override in abstract router (CWE-639) #2435
Description
Summary
A critical authorization bypass vulnerability exists in the abstract router's dataValidate() method that allows any authenticated instance owner to perform operations on ANY other instance in the same deployment.
Vulnerability Class
CWE-639: Authorization Bypass Through User-Controlled Key
Root Cause
File: src/api/abstract/abstract.router.ts lines 34-37
The auth guard at src/api/guards/auth.guard.ts validates instance ownership using req.params.instanceName (from the URL path). However, the abstract router subsequently merges req.query into the instance object via Object.assign(instance, request.query), allowing query parameters to overwrite the already-authenticated instanceName.
The auth guard never reads req.query, so the override happens AFTER authentication passes.
Affected Scope
This affects every endpoint that uses dataValidate() with the default param=true routing, including all instance, message, chat, group, and integration endpoints. An attacker with one instance token can read messages, send messages, delete instances, and modify settings of any other instance.
Suggested Fix
Prevent instanceName from being overridden by query parameters:
// In abstract.router.ts dataValidate()
if (request?.query && Object.keys(request.query).length > 0) {
const { instanceName, instanceId, ...safeQuery } = request.query as any;
Object.assign(instance, safeQuery); // Don't allow security-critical fields to be overridden
}Or alternatively, have the auth guard validate the final instance object rather than just URL params.
Disclosure
This was found through static code analysis. I attempted to report via GitHub Security Advisory (GHSA) but private vulnerability reporting is not enabled on this repository. I recommend enabling it at Settings → Security → Private vulnerability reporting.
I've omitted the full proof-of-concept from this public issue. If you'd like the complete details, please reach out or enable private vulnerability reporting.