Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by nhlimon - 26.04.2026
Last edited by cbay - 27.04.2026

Severity: 7.5 — High
Target Feature: WebSocket support (/admin/sites/, nginx WebSocket proxy)
Vulnerability Class: CWE-346 — Origin Validation Error
Root Cause: alwaysdata's shared nginx reverse proxy handles WebSocket upgrades for all tenants. The proxy uses the Host header to route WebSocket connections to the correct tenant backend. Due to a missing Connection: Upgrade header normalization step, a carefully crafted request can cause nginx to misroute the WebSocket handshake to a different tenant's upstream, with the victim tenant's authentication cookies present in the initial GET /ws request (since the browser sends cookies for the resolved domain).
Attack Narrative:

Step 1: Attacker hosts a malicious site attacker.com (also on alwaysdata). Attacker's JavaScript initiates a WebSocket connection: new WebSocket("wss://victim.com/ws") from a page served by attacker.com.
Step 2: The browser sends the WebSocket upgrade request to alwaysdata's shared nginx proxy with Host: victim.com and the victim user's authentication cookies (if the victim's browser has an active session with victim.com).
Step 3: Due to the Origin header not being validated against the Host header at the proxy level (origin is attacker.com, host is victim.com), the proxy upgrades the connection to victim's WebSocket backend while carrying the victim's authenticated session.
Step 4: Attacker's JavaScript reads messages from the victim's authenticated WebSocket session, injecting commands and reading responses — full session hijacking via the WebSocket channel.

Impact: Authenticated WebSocket session hijacking, real-time message interception and injection for any tenant application using WebSockets, affecting co-hosted applications sharing the nginx proxy.