3.1 KiB
GHSA Draft: agentmemory REST and stream services bound to 0.0.0.0 by default
Severity: High · CVSS 3.1: 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
CWE: CWE-668 — Exposure of Resource to Wrong Sphere, CWE-306 — Missing Authentication for Critical Function
Affected versions: < 0.8.2
Patched version: 0.8.2
Summary
The default iii-config.yaml bound both the REST API (port 3111) and the streams server (port 3112) to 0.0.0.0, exposing them on every network interface the host could reach. Combined with the fact that AGENTMEMORY_SECRET is unset by default, this meant any device on the same local network as a running agentmemory instance could read the entire memory store without authentication.
Affected endpoints included:
GET /agentmemory/export— full dump of every captured observation, memory, session, and audit entryGET /agentmemory/sessions— session listPOST /agentmemory/smart-search— arbitrary search over all captured contentPOST /agentmemory/observe— ability to inject fake observationsPOST /agentmemory/remember— ability to plant arbitrary memories- All 109 other REST endpoints
Impact
A developer running agentmemory on a laptop in a coffee shop, office, or conference WiFi effectively published their entire memory store — including captured API keys, file contents, prompts, decisions, and project context — to anyone on the same network.
Attackers on the same network could:
- Exfiltrate secrets.
curl http://<victim-ip>:3111/agentmemory/exportdownloads everything. Depending on the incompleteness of the secret redaction (see advisory #06), this could include API keys and tokens. - Inject memories. An attacker could
POST /agentmemory/observeor/rememberwith fake observations, poisoning the memory store so future sessions retrieve attacker-controlled context. - Pivot to other services. The mesh sync endpoint (before the auth fix in advisory #04) accepted peer data from any source.
Patches
Fixed in 0.8.2:
iii-config.yamlnow binds REST, streams to127.0.0.1- Viewer server already bound to
127.0.0.1 - New
iii-config.docker.yamlfor Docker deployments: containers bind to0.0.0.0internally (required for Docker networking) but host port mapping is restricted to127.0.0.1:portindocker-compose.yml - README and API section documentation updated to note 127.0.0.1 as the default
Workarounds
Users on affected versions should manually edit their iii-config.yaml and change the REST and streams host values to 127.0.0.1:
modules:
- class: modules::api::RestApiModule
config:
host: 127.0.0.1 # was 0.0.0.0
- class: modules::stream::StreamModule
config:
host: 127.0.0.1 # was 0.0.0.0
And set AGENTMEMORY_SECRET to a strong random value to protect endpoints even if network exposure is needed.
References
Credit
@eng-pf