Skip to content

Security: Unauthenticated /finish endpoint can shut down KMS onboard service #611

Description

@kvinwang

Note: This issue documents a vulnerability that was originally reported privately as the repository security advisory GHSA-fc72-qqqp-cjgr by @pbeza.

Root Cause

The KMS onboard service exposes a GET /finish endpoint that triggers shutdown.notify() with zero authentication. Any network-reachable caller can invoke this endpoint to shut down the onboard service, preventing new CVMs from bootstrapping their keys.

Attack Path

  1. Attacker discovers the KMS onboard service endpoint
  2. Attacker sends GET /finish — no authentication required
  3. The onboard service shuts down via shutdown.notify()
  4. New CVMs cannot bootstrap because the onboard service is unavailable
  5. If the onboard service is critical to KMS initialization, this could prevent the entire KMS from becoming operational

Impact

Denial of service against the KMS bootstrapping process. New CVMs cannot obtain their initial keys and certificates. For MPC, this prevents new nodes from joining the threshold signing protocol. If the KMS is in the middle of initial setup, the /finish call prematurely terminates the bootstrap process.

Suggested Fix

Require authentication for the /finish endpoint:

#[get("/finish")]
async fn finish(admin_token: AdminToken, shutdown: &State<Notify>) -> &'static str {
    shutdown.notify_one();
    "OK"
}

Alternatively, restrict /finish to localhost-only access via network-level controls.


Note: This finding was reported automatically as part of an AI/Claude-driven internal audit by the NEAR One MPC team. It has not been manually verified by a human to confirm whether it constitutes an actual security issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issue, report, or hardening worksecurity: not-production-vulnDoes not compromise supported production deployments under the documented threat modelsecurity: reportPublic security report or already-public security finding

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions