Dapr (Distributed Application Runtime) is a lightweight, event-driven runtime designed to help developers build resilient, microservice-based applications that can run on the cloud or edge. One of its security features is API token authentication, where calls from your app to the Dapr sidecar must include a secret token. But in June 2023, a severe security flaw (CVE-2023-37918) was discovered — an attacker could bypass this authentication with a clever HTTP request. If you use API token authentication, this post explains what happened, how the exploit works, and what you need to do now.
What is CVE-2023-37918?
CVE-2023-37918 is a vulnerability found in Dapr versions before 1.10.9 and 1.11.2 where the Dapr sidecar, responsible for securing your microservice, could be tricked into allowing requests even if the dapr-api-token header was missing or invalid.
If you had set up API token authentication in Dapr thinking it would block unauthorized app-side requests, this bug means you might not have been as safe as you thought.
Applications or clusters using the Dapr sidecar on HTTP endpoints
- If you do not use API token authentication, or only use Dapr over mTLS and gRPC, you are not at risk from this issue
Warning: This vulnerability is remotely exploitable. There are no known workarounds.
How Does the Exploit Work?
Dapr’s API token system is supposed to reject any request lacking a valid dapr-api-token header. But because of a bug, the sidecar would allow some HTTP requests to pass through authentication checks regardless of the header’s presence or value.
The exploit boils down to crafting special HTTP requests that cause the Dapr sidecar to skip or mishandle the authentication logic.
Example Exploit
Let’s say your Dapr service listens on port 350, and you have an API token set. Normally, you’d need to include the token like this:
curl -H "dapr-api-token: SUPERSECRET" http://localhost:350/v1./secrets/mysecretstore/foo
With the vulnerability, an attacker could send
curl -X GET http://localhost:350/v1./secrets/mysecretstore/foo
Or even manipulate HTTP headers in a way that *tricks* the parser (example, exploiting case-insensitivity or formatting):
curl -H "dapr-API-token: wrongtoken" http://localhost:350/v1./secrets/mysecretstore/foo
No valid token? You still get access.
Wrong header name? You still get access.
Malformed request? May still work!
Pseudocode of Vulnerability
func authenticateRequest(r *http.Request) bool {
// Get token from config and incoming request
expectedToken := os.Getenv("DAPR_API_TOKEN")
incomingToken := r.Header.Get("dapr-api-token") // susceptible to header tricks
// The check is bypassed under certain malformed requests!
if incomingToken == expectedToken {
return true
}
// <-- A bug may cause the function to allow requests where 'incomingToken' is empty or malformed.
// e.g., accidentally returning 'true' in some cases
// Attacker can exploit parsing logic here
return false
}
Actual exploit code could vary depending on your HTTP client or if you have access to the application’s network.
GitHub Security Advisory:
CVE Record:
Dapr Docs:
1.11.2 (for v1.11.x users)
Upgrade right away:
dapr uninstall --all
dapr init --runtime-version 1.10.9 # Replace 1.10.9 with 1.11.2 if you are on 1.11.x
Or update your Helm charts, manifests, or whatever deployment system you use to point to the new version.
Reminder:
There are no workarounds. You must upgrade to be safe.
Conclusion
CVE-2023-37918 is a critical bug for anyone relying on Dapr’s API token system. If your cluster relies on this feature, upgrade Dapr immediately to version 1.10.9 or 1.11.2. Attackers could easily bypass your authentication with a carefully crafted request, potentially exposing your application’s secrets or internal APIs.
Dapr is a fantastic tool for distributed applications, but as with any software, security holes can—and do—happen. Watch for updates, and always keep your dependencies patched.
Stay up to date. Stay safe.
Want to know more?
Check out the detailed advisory and remediation steps on the Dapr GitHub Security Advisory.
Timeline
Published on: 07/21/2023 21:15:00 UTC
Last modified on: 07/31/2023 17:30:00 UTC