{"id":"GHSA-hq4h-w933-jm6c","summary":"khoj has an IDOR in subscription management allows unauthorized subscription modifications","details":"### Summary\nAn Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request.\n\n### Details\nThe vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription.\n\nVulnerable code in `/api/subscription`:\n```python\n@subscription_router.patch(\"\")\n@requires([\"authenticated\"])\nasync def update_subscription(request: Request, email: str, operation: str):\n    # IDOR: email parameter directly references user subscriptions without ownership verification\n    customers = stripe.Customer.list(email=email).auto_paging_iter()\n    customer = next(customers, None)\n    \n    if operation == \"cancel\":\n        # Any authenticated user can modify any subscription referenced by email\n        customer_id = customer.id\n        for subscription in stripe.Subscription.list(customer=customer_id):\n            stripe.Subscription.modify(subscription.id, cancel_at_period_end=True)\n```\n\n### PoC\n1. Create a customer account in stripe:\n   - Customer A: `adventure8812@zeropath.com` (attacker)\n\n2. Log in as any user.\n\n3. Send this request:\n```http\nPATCH /api/subscription?email=adventure8812@zeropath.com&operation=cancel HTTP/1.1\n```\n\n4. The subscription for Customer A is successfully set to cancel.\n\n### Impact\nHigh:\nRevenue loss via mass cancellation of subscriptions.\nLoss of customer trust by re-enabling subscriptions they had set to cancel.\n\n### Resolution\n\nThis was fixed in the following commit which limited subscription update operations to the authenticated user: https://github.com/khoj-ai/khoj/commit/47d3c8c23597900af708bdc60aced3ae5d2064c1. Support for arbitrarily presenting an email for update has been deprecated.\n","aliases":["CVE-2024-52294"],"modified":"2024-12-30T18:53:19.656963Z","published":"2024-12-30T16:12:40Z","related":["CVE-2024-52294"],"database_specific":{"github_reviewed_at":"2024-12-30T16:12:40Z","nvd_published_at":"2024-12-30T17:15:09Z","severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-639"]},"references":[{"type":"WEB","url":"https://github.com/khoj-ai/khoj/security/advisories/GHSA-hq4h-w933-jm6c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52294"},{"type":"WEB","url":"https://github.com/khoj-ai/khoj/commit/47d3c8c23597900af708bdc60aced3ae5d2064c1"},{"type":"PACKAGE","url":"https://github.com/khoj-ai/khoj"}],"affected":[{"package":{"name":"khoj","ecosystem":"PyPI","purl":"pkg:pypi/khoj"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.29.0"}]}],"versions":["1.0","1.16.1.dev15","1.16.1.dev16","1.16.1.dev25","1.16.1.dev26","1.16.1.dev47","1.17.0","1.17.1.dev216","1.17.1.dev217","1.17.1.dev218","1.17.1.dev219","1.17.1.dev220","1.17.1.dev221","1.17.1.dev222","1.17.1.dev223","1.17.1.dev229","1.17.1.dev233","1.20.0","1.20.1.dev1","1.20.1.dev11","1.20.1.dev2","1.20.1.dev3","1.20.1.dev4","1.20.1.dev5","1.20.1.dev6","1.20.2","1.20.2.dev1","1.20.2.dev5","1.20.2.dev6","1.20.2.dev8","1.20.3","1.20.3.dev1","1.20.3.dev10","1.20.3.dev11","1.20.3.dev13","1.20.3.dev14","1.20.3.dev15","1.20.3.dev2","1.20.4","1.20.4.dev1","1.20.4.dev13","1.20.4.dev2","1.20.4.dev5","1.20.4.dev6","1.20.4.dev8","1.20.4.dev9","1.20.5.dev1","1.20.5.dev10","1.20.5.dev15","1.20.5.dev16","1.20.5.dev17","1.20.5.dev18","1.20.5.dev22","1.20.5.dev8","1.21.0","1.21.1","1.21.1.dev1","1.21.1.dev2","1.21.2","1.21.2.dev2","1.21.3","1.21.3.dev5","1.21.3.dev6","1.21.4","1.21.4.dev1","1.21.4.dev4","1.21.4.dev8","1.21.4.dev9","1.21.5","1.21.5.dev1","1.21.5.dev5","1.21.6","1.21.6.dev13","1.21.6.dev14","1.21.6.dev6","1.21.7.dev1","1.21.7.dev4","1.21.7.dev6","1.21.7.dev7","1.21.7.dev9","1.22.0","1.22.1","1.22.1.dev1","1.22.2","1.22.2.dev10","1.22.2.dev11","1.22.2.dev12","1.22.2.dev9","1.22.3","1.22.3.dev5","1.22.3.dev6","1.22.4.dev1","1.22.4.dev12","1.22.4.dev13","1.22.4.dev2","1.22.4.dev6","1.22.4.dev7","1.23.0","1.23.1","1.23.1.dev1","1.23.2","1.23.2.dev1","1.23.2.dev2","1.23.3","1.23.3.dev1","1.23.3.dev18","1.23.3.dev2","1.23.3.dev3","1.23.3.dev4","1.23.3.dev5","1.23.3.dev7","1.23.4.dev1","1.23.4.dev11","1.23.4.dev12","1.23.4.dev2","1.23.4.dev3","1.23.4.dev4","1.23.4.dev7","1.24.0","1.24.1","1.24.1.dev14","1.24.1.dev3","1.24.1.dev4","1.24.1.dev5","1.24.1.dev7","1.24.1.dev8","1.24.1.dev9","1.24.2.dev10","1.24.2.dev14","1.24.2.dev15","1.24.2.dev16","1.24.2.dev19","1.24.2.dev2","1.24.2.dev28","1.24.2.dev3","1.24.2.dev31","1.24.2.dev33","1.24.2.dev34","1.24.2.dev4","1.24.2.dev6","1.24.2.dev7","1.24.2.dev8","1.24.2.dev9","1.25.0","1.25.1.dev1","1.25.1.dev12","1.25.1.dev14","1.25.1.dev19","1.25.1.dev2","1.25.1.dev33","1.25.1.dev34","1.25.1.dev7","1.25.1.dev9","1.26.0","1.26.1","1.26.1.dev1","1.26.1.dev3","1.26.2","1.26.2.dev1","1.26.3","1.26.3.dev1","1.26.3.dev3","1.26.4","1.26.4.dev1","1.26.4.dev2","1.26.5.dev1","1.26.5.dev15","1.26.5.dev16","1.26.5.dev27","1.26.5.dev29","1.26.5.dev32","1.26.5.dev34","1.26.5.dev35","1.26.5.dev37","1.26.5.dev43","1.26.5.dev44","1.27.0","1.27.1","1.27.1.dev1","1.27.2.dev1","1.27.2.dev12","1.27.2.dev13","1.27.2.dev130","1.27.2.dev14","1.27.2.dev15","1.27.2.dev16","1.27.2.dev167","1.27.2.dev18","1.27.2.dev2","1.27.2.dev29","1.28.0","1.28.1","1.28.1.dev1","1.28.2","1.28.2.dev1","1.28.3","1.28.3.dev1","1.28.4.dev1","1.28.4.dev11","1.28.4.dev12","1.28.4.dev13","1.28.4.dev2","1.28.4.dev22","1.28.4.dev23","1.28.4.dev24","1.28.4.dev3","1.28.4.dev7","1.28.4.dev71","1.28.4.dev72","1.28.4.dev76","1.28.4.dev77","1.28.4.dev78","1.28.4.dev79","1.28.4.dev81","1.28.4.dev89","1.28.4.dev90","1.28.4.dev92","1.28.4.dev93","1.28.4.dev94"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-hq4h-w933-jm6c/GHSA-hq4h-w933-jm6c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}