Skip to content

fix: restrict dev server to loopback host and origin#110

Open
radu-mocanu wants to merge 1 commit into
mainfrom
fix/dev-server-loopback-guard
Open

fix: restrict dev server to loopback host and origin#110
radu-mocanu wants to merge 1 commit into
mainfrom
fix/dev-server-loopback-guard

Conversation

@radu-mocanu

@radu-mocanu radu-mocanu commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • the uipath dev server now rejects requests whose Host or Origin header is not loopback, so websites the developer visits can no longer read the project or trigger runs cross-origin
  • CORS is scoped to the server's own loopback origin instead of *
  • the file API refuses to read or write credential files (.env, .env.*, .uipath/)

Why

While uipath dev was running, any page the developer opened could fetch the unauthenticated localhost API cross-origin to steal the UiPath Cloud access token from .env and write plus run an entrypoint (RCE). Validating the Host header also closes the DNS-rebinding variant.

@radu-mocanu radu-mocanu force-pushed the fix/dev-server-loopback-guard branch from 7e606e3 to 50bdfbc Compare July 3, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant