CVE-2024-52294
📋 TL;DR
An Insecure Direct Object Reference (IDOR) vulnerability in Khoj's subscription endpoint allows authenticated users to modify other users' Stripe subscriptions by changing the email parameter in requests. This affects all Khoj deployments running versions before 1.29.10 where users have subscription management functionality.
💻 Affected Systems
- Khoj
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could cancel, downgrade, or modify billing for any user's subscription, causing financial loss, service disruption, and potential data access issues.
Likely Case
Malicious authenticated users manipulating other users' subscription levels or billing information, leading to service interruptions and administrative overhead.
If Mitigated
Proper authorization checks prevent unauthorized subscription modifications, limiting impact to legitimate subscription management only.
🎯 Exploit Status
Exploitation requires authenticated access but is simple via parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.29.10
Vendor Advisory: https://github.com/khoj-ai/khoj/security/advisories/GHSA-hq4h-w933-jm6c
Restart Required: Yes
Instructions:
1. Update Khoj to version 1.29.10 or later. 2. Restart the Khoj service. 3. Verify the update_subscription endpoint now validates user ownership.
🔧 Temporary Workarounds
Disable subscription endpoint
allTemporarily disable the vulnerable /api/subscription endpoint
Configure web server/proxy to block requests to /api/subscription
Implement WAF rules
allAdd web application firewall rules to detect email parameter manipulation
🧯 If You Can't Patch
- Implement additional authorization middleware that validates user ownership before processing subscription requests
- Monitor subscription modification logs for suspicious activity and implement rate limiting on the endpoint
🔍 How to Verify
Check if Vulnerable:
Test if authenticated user can modify another user's subscription by changing email parameter in POST /api/subscription requestsCheck Version:
Check Khoj version via application interface or deployment configurationVerify Fix Applied:
Verify that modifying email parameter no longer allows unauthorized subscription changes and returns proper authorization errors📡 Detection & Monitoring
Log Indicators:
- Multiple subscription modifications from single user account
- Subscription changes where requestor email differs from target email
Network Indicators:
- POST requests to /api/subscription with email parameter values different from authenticated user
SIEM Query:
source="khoj" AND path="/api/subscription" AND email!=user.email