Platform
nodejs
Component
@samanhappy/mcphub
Fixed in
0.11.0
0.11.0
CVE-2025-13822 represents an authentication bypass vulnerability discovered in MCPHub. This flaw allows unauthenticated attackers to execute actions with the privileges of other users, potentially leading to unauthorized access and manipulation of data. The vulnerability affects versions from 0.0.0 through 0.11.0 of MCPHub. A patch addressing this issue is available in version 0.11.0.
CVE-2025-13822 affects MCPHub versions prior to 0.11.0, presenting a critical authentication bypass vulnerability. This flaw allows unauthenticated attackers to access certain endpoints within the system without valid credentials. Consequently, an attacker could perform actions on behalf of other users, potentially gaining access to sensitive data, modifying configurations, or even compromising the system's integrity. The severity of this vulnerability lies in its ease of exploitation and the potential impact on the application's security and the data it handles. Updating MCPHub to version 0.11.0 or later is crucial to mitigate this risk. The lack of proper authentication on these endpoints opens a gateway for attacks that could have significant consequences.
The vulnerability manifests because certain endpoints in MCPHub are not protected by authentication middleware. This means an attacker can send requests directly to these endpoints without needing to log in or provide valid credentials. The attacker could then manipulate the requests to perform unauthorized actions, such as modifying user data, changing permissions, or executing commands with elevated privileges. Exploitation is relatively straightforward, requiring only knowledge of the vulnerable endpoints and the ability to send HTTP requests. The lack of user identity validation before allowing access to these functions is the root cause of the problem. The absence of authentication makes the application susceptible to impersonation attacks and unauthorized access.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The solution for CVE-2025-13822 is to update MCPHub to version 0.11.0 or a later release. This version includes fixes to address the authentication bypass vulnerability. While performing the update, it's recommended to implement additional security measures, such as restricting network access and monitoring the system for suspicious activity. It's important to verify that the update has been applied correctly and that the affected endpoints are now protected by proper authentication. Furthermore, reviewing the application's configuration to ensure that best security practices are applied is essential to prevent future incidents. The update is the most effective measure, but complementary measures reinforce security.
Actualice MCPHub a la versión 0.11.0 o superior para mitigar la vulnerabilidad de bypass de autenticación. Esta actualización corrige la falta de protección de autenticación en ciertos endpoints, previniendo que atacantes no autentificados realicen acciones en nombre de otros usuarios.
Vulnerability analysis and critical alerts directly to your inbox.
MCPHub is a tool used for [insert description of MCPHub here].
Updating to version 0.11.0 corrects a security vulnerability that could allow attackers to access your system without authorization.
While you can't update, consider restricting network access and monitoring system activity.
If you are using a version prior to 0.11.0, you are vulnerable to this vulnerability.
Consult the official MCPHub documentation or the CVE-2025-13822 entry in vulnerability databases.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.