Login Sign Up

CVE-2021-41191

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-41191 is an authentication bypass vulnerability in Roblox-Purchasing-Hub that allows unauthorized access to product files without requiring an API key. Attackers who obtain someone's API URL can download product files they shouldn't have access to. This affects users running versions 1.0.1 and earlier of the Roblox-Purchasing-Hub software.

💻 Affected Systems

Products:
  • Roblox-Purchasing-Hub
Versions: 1.0.1 and prior
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of affected versions.

📦 What is this software?

Roblox Purchasing Hub by Redon

View all CVEs affecting Roblox Purchasing Hub →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized actors could download all product files, potentially exposing sensitive product data, intellectual property, or proprietary content without authentication.

🟠

Likely Case

Attackers who discover API URLs could download product files they shouldn't have access to, leading to data exposure and potential intellectual property theft.

🟢

If Mitigated

With proper API key authentication, only authorized users can access product files, maintaining proper access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of the target's API URL but no authentication credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2

Vendor Advisory: https://github.com/Redon-Tech/Roblox-Purchasing-Hub/security/advisories/GHSA-76mx-6584-4v8q

Restart Required: Yes

Instructions:

1. Update to version 1.0.2 or later. 2. Restart the Roblox-Purchasing-Hub service. 3. Verify the fix by testing API access without authentication.

🔧 Temporary Workarounds

Manual API Key Requirement

all

Add @require_apikey decorator to the vulnerable route to enforce API key authentication

Edit BOT/lib/cogs/website.py and add @require_apikey above the route for /v1/products

🧯 If You Can't Patch

  • Implement network-level access controls to restrict access to the API endpoints
  • Monitor API access logs for unauthorized requests to /v1/products endpoint

🔍 How to Verify

Check if Vulnerable:

Attempt to access /v1/products endpoint without providing an API key. If successful, the system is vulnerable.

Check Version:

Check the software version or review the commit history for version 1.0.1 or earlier

Verify Fix Applied:

Attempt to access /v1/products endpoint without an API key. Access should be denied with proper authentication required.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to /v1/products endpoint
  • Successful product file downloads without API key authentication

Network Indicators:

  • HTTP GET requests to /v1/products without authentication headers
  • Unusual download patterns from product endpoints

SIEM Query:

source="web_logs" AND uri="/v1/products" AND NOT auth_token=*

📊 Metadata

CVE ID: CVE-2021-41191
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-116
Published: October 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41191, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)