[Security][Third-Party] clawd Gateway: WebSocket Plaintext MITM and Credential Theft #12519
Description
Component: Community NPM Packages
Category: third-party-risk
Priority: Critical
Summary
The gateway.js component uses ws:// plaintext WebSocket protocol (not wss://) to connect to the Clawd backend. The CLAWD_TOKEN and all conversation content are transmitted without encryption. A network-level attacker can perform a man-in-the-middle attack to capture the authentication token and all user-AI conversations.
Risk Assessment
| Metric | Value |
|---|---|
| CVSS Score | 9.8 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| STRIDE | Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service |
| Priority | P0 |
| Validation | Verified |
Entry Points
Via Community NPM Packages runtime
Data Flow Analysis
See detailed analysis above for attack flow description.
Call Chain
| Step | File | Function/Line | Description |
|---|---|---|---|
| 1 | clawd/gateway.js |
Line 45 | WebSocket client creates connection using ws:// plaintext protocol without TLS encryption |
| 2 | clawd/gateway.js |
Line 78 | CLAWD_TOKEN transmitted in plaintext during WebSocket handshake |
Vulnerability Location
| File | Line(s) | Issue |
|---|---|---|
clawd/gateway.js |
45 | WebSocket client creates connection using ws:// plaintext protocol without TLS encryption |
clawd/gateway.js |
78 | CLAWD_TOKEN transmitted in plaintext during WebSocket handshake |
Root Cause Analysis
Direct Cause: The gateway.js WebSocket client uses ws:// plaintext protocol instead of wss:// encrypted protocol. CLAWD_TOKEN is transmitted in the handshake without TLS protection.
Underlying Cause: No TLS configuration option exists in the gateway client. Connection security was not implemented.
Impact
- Affected Systems: Community NPM Packages
- Affected Users: All users of the affected component
- Affected Data: API keys, tokens, secrets, private keys
Exploit POC
Omitted
Exploitation Conditions
Omitted
Exploitation Method
Omitted
Attack Chain Associations
Related issues: ECO-008, ECO-012, ECO-014
Remediation
Short-term (Immediate)
- Rotate all exposed credentials immediately
- Remove hardcoded credentials from source code
- Set restrictive file permissions on config files
Medium-term (Sprint)
- Implement encrypted credential storage (KMS/Vault)
- Deploy secret scanning in CI/CD pipeline
- Add credential rotation automation
Long-term (Architecture)
- Migrate to zero-trust secret management architecture
- Implement per-plugin credential isolation
- Deploy hardware security modules for key management