Skip to content

fix(security): V2 - properly validate WebSocket authentication in gateway middleware #12749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kolega-ai-dev wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix(security): V2 - properly validate WebSocket authentication in gateway middleware #12749

kolega-ai-dev wants to merge 1 commit into from
+9 −3

Conversation

@kolega-ai-dev
Copy link

@kolega-ai-dev kolega-ai-dev commented Dec 19, 2025

Security Disclosure Notice

This PR addresses a security vulnerability identified by Kolega.dev as part of our automated security remediation platform validation.

Disclosure Timeline:

  • December 10, 2025: Initial responsible disclosure sent to security@nocodb.com with full technical details, reproduction steps, and proposed fixes
  • December 16, 2025: Follow-up sent noting the approaching 7-day SLA
  • December 19, 2025: No acknowledgment received; PR submitted publicly per standard responsible disclosure practices

We attempted to coordinate privately through NocoDB's official security reporting channel. After exceeding the published response SLA without acknowledgment, we are proceeding with public disclosure to ensure the community can protect their deployments.

Vulnerability identified and fix provided by Kolega.dev (https://kolega.dev/)

Change Summary

Fixes critical WebSocket authentication vulnerability (CWE-287) where unauthenticated users could establish WebSocket connections and access real-time data. The middleware's empty catch block previously allowed all connections to proceed regardless of authentication status.

Change type

  • feat: (new feature for the user, not a new feature for build script)
  • fix: (bug fix for the user, not a fix to a build script)
  • docs: (changes to the documentation)
  • style: (formatting, missing semi colons, etc; no production code change)
  • refactor: (refactoring production code, eg. renaming a variable)
  • test: (adding missing tests, refactoring tests; no production code change)
  • chore: (updating grunt tasks etc; no production code change)

Test/ Verification

  • Verify authenticated users can successfully establish WebSocket connections
  • Verify unauthenticated users receive 'Unauthorized' error when attempting WebSocket connections
  • Confirm authentication failures are properly handled without allowing connection

Additional information / screenshots (optional)

Security Impact: This fix addresses a critical authentication bypass vulnerability. Previously, the guard.canActivate() result was not being checked, allowing all WebSocket connections regardless of authentication status.

Changes made:

  • Capture and validate guard.canActivate() return value
  • Only proceed with next() if authentication succeeds
  • Reject connections with 'Unauthorized' error on auth failure
  • Properly handle exceptions by rejecting the connection

File modified: packages/nocodb/src/gateways/socket.gateway.ts

@CLAassistant
Copy link

CLAassistant commented Dec 19, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@kolega-ai-dev
fix: properly validate WebSocket authentication in gateway middleware
da1c40b 
Previously, the WebSocket authentication middleware had an empty catch block
that allowed all connections to proceed regardless of authentication status.
This created a critical security vulnerability (CWE-287) where unauthenticated
users could establish WebSocket connections and access real-time data.

Changes:
- Capture and check the return value of guard.canActivate()
- Only call next() if authentication succeeds
- Reject connections with 'Unauthorized' error on auth failure
- Properly handle exceptions by rejecting the connection

This ensures that only authenticated clients can establish WebSocket connections.
@FaizanKolega FaizanKolega force-pushed the nc-fix/websocket-auth-validation branch from 90282ad to da1c40b Compare December 19, 2025 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kolega-ai-dev @CLAassistant