Authentication Bypass Vulnerability in Nacos 1.2.1 (CWE-346) #25
Description
Authentication Bypass Vulnerability in Nacos 1.2.1 (CVE-2021-29441)
Summary
A high-risk authentication bypass vulnerability exists in Nacos version 1.2.1, which is the default version used by the target project. Additionally, the project’s Docker build process directly pulls the official nacos:1.2.1 image, making this vulnerable version widely deployed by default. Due to improper handling of the User-Agent header, attackers can bypass authentication and execute administrative operations such as adding, deleting, and modifying user accounts without valid credentials. This poses a severe threat to the integrity and security of systems built with this default configuration.
Details
The affected project leverages Nacos 1.2.1 as its default service registry and configuration management component. When deployed via Docker, the build process pulls the nacos:1.2.1 image by default, meaning environments set up using the provided official documentation are immediately vulnerable.
Nacos 1.2.1 suffers from CVE-2021-29441, where authentication checks can be bypassed by sending crafted HTTP requests with a specific User-Agent header. This design flaw incorrectly trusts certain clients, allowing attackers to escalate privileges and perform unauthorized operations such as:
-
Adding new administrative users
-
Deleting legitimate user accounts
-
Resetting or modifying user passwords
-
Potentially altering or deleting critical configuration data
Exploitation Process
- Deploy an environment using Docker (e.g., Nacos quick setup guide).
- Download and use the NacosExploitGUI tool to scan port
8848.
- The tool detects the vulnerability and allows an attacker to add a new administrative user.
- Using the newly created user, the attacker logs into the system and gains full access to sensitive administrative functionality.
Impact
-
Full administrative access to the Nacos management interface without valid credentials
-
Unauthorized modification of configuration and user data
-
Potential compromise of dependent microservices and applications
-
Escalation to full system compromise in integrated environments
Root Cause
The vulnerability stems from improper authentication logic that relies on the User-Agent header rather than robust session or token-based authentication. This design flaw allows attackers to spoof legitimate clients and bypass security controls.
Recommendation
Upgrade the Nacos version to 2.x or latest patched release during Docker image builds. This ensures that authentication bypass via User-Agent manipulation is no longer possible. Additionally, avoid exposing Nacos instances directly to the internet and implement network access controls.