Summary
When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind, no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no path-prefix permission. Any client that can complete a TCP connection to the listener address receives the stream.
This advisory covers the authentication gap in isolation. The cross-origin browser-reach (advisory #2b) and the network-reach (advisory #2c) amplify the impact, but each is independently fixable; this finding addresses the case where a same-origin or LAN-local client connects directly to the SSE port and reads the stream without proving anything about its identity.
Details
Root cause, the SSE handler does not consult permissions2 or any other auth
// vendor/github.com/xyproto/recwatch/eventserver.go:100-144 (1.17.6)
func GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {
return func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "text/event-stream;charset=utf-8")
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Connection", "keep-alive")
w.Header().Set("Access-Control-Allow-Origin", allowed)
// ... loop emits one SSE record per filename touched ...
}
}
Note the handler signature: func(w http.ResponseWriter, _ *http.Request). The request is discarded, no Cookie, Authorization, query-string, or remote-IP check is performed before the stream begins.
In 1.17.6 the listener was placed on its own http.ServeMux (recwatch/eventserver.go:200-215), wholly outside the perm.Rejected middleware chain that gates Algernon's main HTTP listener. Even an operator who had configured admin/user path prefixes via perm.AddAdminPath, set a cookieSecret, and forced authentication on every URL of the main server had no way to gate this listener, it was unreachable from the mux argument the perm middleware uses.
Why authentication matters for this listener
The stream contents are not public data. They reveal:
- Which files the developer is actively editing, with sub-second timing precision.
- The existence of files inside the watched root (including files the operator may have meant to keep private,
.env.local,secrets.lua, in-progress draft files). - By inference, the directory layout of the project.
A client that can connect to the listener obtains a low-rate continuous information disclosure for the lifetime of the connection. The handler is an infinite for {} loop, there is no natural session boundary or expiry.
Source-level evidence
$ rg -n 'GenFileChangeEvents|EventServer\(' vendor/github.com/xyproto/recwatch/
vendor/github.com/xyproto/recwatch/eventserver.go:101:func GenFileChangeEvents(events TimeEventMap, mut *sync.Mutex, maxAge time.Duration, allowed string) http.HandlerFunc {
vendor/github.com/xyproto/recwatch/eventserver.go:177:func EventServer(path, allowed, eventAddr, eventPath string, refreshDuration time.Duration) {
$ rg -n 'Cookie|Authorization|Token|state\.User' vendor/github.com/xyproto/recwatch/eventserver.go
# zero matches, no authentication primitive is referenced anywhere in the file
PoC (against 1.17.6)
# 1. Operator runs algernon with auto-refresh on a project directory:
algernon -a /path/to/project # spins up :5553 on Linux/macOS, localhost:5553 on Windows
# 2. Any client that can reach the listener connects without credentials:
curl -sN http://<server>:5553/sse
# => id: 0
# data: /path/to/project/secret-notes.md
#
# id: 1
# data: /path/to/project/.env.local
No Cookie, no Authorization, no X-Token, no preflight, no challenge. The connection succeeds and the stream is delivered for as long as the client keeps the socket open.
Suggestions to fix
Primary fix, require a shared secret on the SSE endpoint. The auto-refresh feature already injects a script into served HTML (engine/sse.go:118-165); that script knows the SSE URL. Add a per-startup token, embed it in the injected JS, and require it on the SSE request:
// engine/sse.go -- in InsertAutoRefresh
tmplData.SessionToken = ac.sseToken // generated once at startup, e.g. crypto/rand 32 bytes
// JS:
// var source = new EventSource('...?token={{.SessionToken}}');
// recwatch handler:
// if subtle.ConstantTimeCompare([]byte(r.URL.Query().Get("token")),
// []byte(serverToken)) != 1 {
// http.Error(w, "forbidden", http.StatusForbidden); return
// }
Cookie-bearing requests work too if recwatch.EventServer is moved behind perm.Rejected (see "Defence in depth"). The token approach is the smaller change.
Defence in depth, mount the SSE handler on the main mux. Moving recwatch.EventServerHandler onto the main http.ServeMux automatically places the SSE handler behind whatever middleware the operator has configured, perm.Rejected, tollbooth, custom auth wrappers. This closes the same-origin half of the gap without a per-token implementation. Any dedicated-port path bypasses perm.Rejected because it uses its own http.ServeMux, and that path needs the token fix from "Primary fix" above.
Live verification
$ ./algernon.exe --nodb --httponly --server -a --addr 127.0.0.1:18781 --quiet poc2/site
$ ( curl -sN --max-time 4 http://127.0.0.1:5553/sse > stream.txt &
sleep 1
echo "edit-1" >> poc2/site/secret-notes.md
echo "edit-2" >> poc2/site/.env.local
wait )
$ cat stream.txt
id: 0
data: C:\Users\xbox\Desktop\VulnTesting\algernon-main\poc-test\poc2\site\secret-notes.md
id: 1
data: C:\Users\xbox\Desktop\VulnTesting\algernon-main\poc-test\poc2\site\.env.local
No Cookie, no Authorization header. Stream delivered.
Impact
- Confidentiality: medium. Continuous information disclosure of filenames and edit timing to anyone who can connect.
- Integrity: none.
- Availability: low. Each connection consumes a goroutine indefinitely; many simultaneous connections can exhaust descriptors.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
GHSA-9V4J-7G44-QCQW has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.17.7); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-9V4J-7G44-QCQW? GHSA-9V4J-7G44-QCQW is a medium-severity missing authentication for critical function vulnerability in github.com/xyproto/algernon (go), affecting versions <= 1.17.6. It is fixed in 1.17.7. A critical operation is accessible without requiring any authentication.
- How severe is GHSA-9V4J-7G44-QCQW? GHSA-9V4J-7G44-QCQW has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/xyproto/algernon are affected by GHSA-9V4J-7G44-QCQW? github.com/xyproto/algernon (go) versions <= 1.17.6 is affected.
- Is there a fix for GHSA-9V4J-7G44-QCQW? Yes. GHSA-9V4J-7G44-QCQW is fixed in 1.17.7. Upgrade to this version or later.
- Is GHSA-9V4J-7G44-QCQW exploitable, and should I be worried? Whether GHSA-9V4J-7G44-QCQW is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-9V4J-7G44-QCQW is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-9V4J-7G44-QCQW? Upgrade
github.com/xyproto/algernonto 1.17.7 or later.