MeshMonitor

Appearance

GitHub Stars

Action Required: upgrade to v4.2.1 ​

MeshMonitor v4.2.1 ships fixes for four authorization issues in the REST API. Three of them (MM-SEC-1/2/3) are reachable by anonymous callers under the standard public-viewer configuration. All MeshMonitor 4.x deployments are affected until upgraded.

What can leak in 4.2.0 and earlier ​

  • MM-SEC-1 (High) β€” GET /api/settings returns the auto-generated VAPID private key and other secret-bearing settings (apprise URLs, analytics tokens) to any unauthenticated visitor.
  • MM-SEC-2 (High) β€” GET /api/channels, /api/channels/all, and /api/poll return the raw 32-byte channel PSKs to any caller with channel_0:read (granted to anonymous in default config). PSK disclosure means attackers can decrypt and inject mesh traffic indistinguishable from legitimate users.
  • MM-SEC-3 (High) β€” /api/poll, /api/messages, and /api/messages/unread-counts return message content from hidden channels to any caller with channel_0:read. Sibling poll sections were already filtering correctly; the messages section was not.
  • MM-SEC-4 (Medium) β€” Five channel-mutator endpoints (PUT/DELETE /api/channels/:id, :id/export, :slotId/import, reorder) gated on a static channel_0:write while operating on :id, allowing an authenticated user with channel_0:write to mutate any channel β€” privilege escalation between authenticated users.

Operator mitigations if you cannot upgrade immediately ​

  1. Block GET /api/settings at your reverse proxy for unauthenticated callers.
  2. Revoke channel_0:read from the Anonymous user in Settings β†’ Users. This breaks the public dashboard for logged-out visitors but is the only way to fully close MM-SEC-2 and MM-SEC-3 without code changes.
  3. Provision VAPID via environment variables (VAPID_PUBLIC_KEY, VAPID_PRIVATE_KEY, VAPID_SUBJECT) and rotate any auto-generated key by deleting the vapid_* rows from the settings table and restarting. Existing browser subscriptions re-subscribe transparently on next visit.
  4. Audit accounts holding channel_0:write and revoke from any user not intended to have full per-channel write access (mitigates MM-SEC-4).

After upgrading ​

  • Rotate any channel PSKs that were exposed while a public-viewer dashboard was reachable. The PSK leak is the highest-impact finding because it cannot be undone retroactively β€” anyone who saved the old keys can still decrypt traffic captured at the time.
  • Rotate the auto-generated VAPID private key if you never set the env vars (delete the three vapid_* rows + restart).

Disclosure & credits ​

Reported by an external security researcher. Full per-finding write-up: SECURITY_ADVISORY.md. PRs: #2904 (MM-SEC-1), #2905 (MM-SEC-2), #2906 (MM-SEC-3), #2907 (MM-SEC-4).

Last updated: