Ylianst: MeshCentral: Cross-Site WebSocket Hijacking in control.ashx
CWE-346
Origin Validation Error
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Per GHSA-cp68-qrhr-g9h8: “We have identified a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint of MeshCentral. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. To demonstrate the impact of the vulnerability we developed a proof-of-concept which leveraged the cross-site websocket hijacking vulnerability to read the server configuration file to leak the sessionKey variable, generating login tokens, and generating an authentication cookie.”
Affected Packages / Versions
- Package:
meshcentral(npm) - Latest published version at triage time:
Prior to 1.1.21 - Affected range:
Per GHSA-cp68-qrhr-g9h8: meshcentral < 1.1.21 - Patched version:
MeshCentral 1.1.21
Impact
Per Praetorian’s blog: “Exploitation of the vulnerability results in complete compromise of the victim user’s account with persistent access enabled by the ability to generate login tokens and leak the sessionKey variable used to sign session cookies when the victim user is an administrator.” Praetorian’s blog explicitly discusses the `SameSite=Lax mitigation: "Exploitation can be difficult in some scenarios due to the SameSite` security policy.”
Severity Rationale
GHSA severity: HIGH. NVD CVSS 8.3 (High): network AV, high complexity, no privileges, but user interaction required, with scope-changing impact and full CIA.
Fix
Per GHSA: upgrade to MeshCentral 1.1.21“. Fix commit: f2e43cc6da9f5447dbff0948e6c6024c8a315af3.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released (MeshCentral 1.1.21)
- Feb 21, 2024GHSA-cp68-qrhr-g9h8 published
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026