GHSA-6M68-R693-78QX

Vulnerability from github – Published: 2026-06-19 13:53 – Updated: 2026-06-19 13:53
VLAI
Summary
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Details

Summary

The Tilt HUD WebSocket (/ws/view) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state.

Details

The upgrader accepts a connection when the csrf query parameter matches a process-wide token (websocketCSRFToken). That token is served as text/plain by an unauthenticated handler (WebsocketToken, mounted at /api/websocket_token), so any reachable caller can fetch it and connect to /ws/view?csrf=<token>. When the parameter does not match, the upgrader falls back to a same-origin check that returns true when the Origin header is absent, so a non-browser client that omits Origin is accepted anyway. The token has no per-session binding.

Impact

An attacker who can reach the HUD listener can open the HUD WebSocket and receive the full view stream — session state, Tiltfile contents, resource statuses, and continued updates — defeating the intended anti-CSWSH protection.

Conditions for exploitation

  • Affected version in >= 0.24.0, <= 0.37.3.
  • HUD bound to a non-loopback address (tilt up --host 0.0.0.0, or TILT_HOST set).
  • Network reachability to the listener (default port 10350).

Not affected

  • The default loopback-only bind is not reachable from the network.

Workarounds

Use the default loopback bind (omit --host, unset TILT_HOST). No complete workaround short of upgrading for non-loopback deployments.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.37.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tilt-dev/tilt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.24.0"
            },
            {
              "fixed": "0.37.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T13:53:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\nThe Tilt HUD WebSocket (`/ws/view`) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an `Origin` header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer\u0027s session state.\n\n## Details\nThe upgrader accepts a connection when the `csrf` query parameter matches a process-wide token (`websocketCSRFToken`). That token is served as `text/plain` by an unauthenticated handler (`WebsocketToken`, mounted at `/api/websocket_token`), so any reachable caller can fetch it and connect to `/ws/view?csrf=\u003ctoken\u003e`. When the parameter does not match, the upgrader falls back to a same-origin check that returns true when the `Origin` header is absent, so a non-browser client that omits `Origin` is accepted anyway. The token has no per-session binding.\n\n## Impact\nAn attacker who can reach the HUD listener can open the HUD WebSocket and receive the full view stream \u2014 session state, Tiltfile contents, resource statuses, and continued updates \u2014 defeating the intended anti-CSWSH protection.\n\n### Conditions for exploitation\n- Affected version in `\u003e= 0.24.0, \u003c= 0.37.3`.\n- HUD bound to a non-loopback address (`tilt up --host 0.0.0.0`, or `TILT_HOST` set).\n- Network reachability to the listener (default port `10350`).\n\n### Not affected\n- The default loopback-only bind is not reachable from the network.\n\n## Workarounds\nUse the default loopback bind (omit `--host`, unset `TILT_HOST`). No complete workaround short of upgrading for non-loopback deployments.",
  "id": "GHSA-6m68-r693-78qx",
  "modified": "2026-06-19T13:53:35Z",
  "published": "2026-06-19T13:53:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tilt-dev/tilt/pull/6776"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tilt-dev/tilt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…