Skip to content

[Security] Broken authorization on setAnnouncement and servicesInfo commands #44

New issue
New issue
Closed as not planned
Closed as not planned
[Security] Broken authorization on setAnnouncement and servicesInfo commands#44
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Feb 28, 2026

Summary

Critical authorization bypass allowing any client to modify server state.

Affected Code

  • server-services/start-services.js Lines 437-445 (setAnnouncement)
  • server-services/start-services.js Lines 446-458 (servicesInfo)

Vulnerability

Both handlers check only if (msg.auth_key) without validating against a server-held secret. Any non-empty string passes.

Impact

  • setAnnouncement: Any client can persistently modify the global game announcement in the database
  • servicesInfo: Any client can inject fake cluster status data

Proof of Concept

{"cmd":"setAnnouncement","auth_key":"anything","announcement":"pwned"}
{"cmd":"servicesInfo","auth_key":"anything","thisServer":0,"gameInfo":{}}

Recommended Fix

Use timing-safe comparison against an environment/config secret.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions