Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

The author discovered that Nacos 1.4.1's serverIdentity key‑value authentication mechanism can still be bypassed after enabling the User‑Agent whitelist, allowing unrestricted access to any HTTP interface.

To avoid the simple User‑Agent bypass, the configuration nacos.core.auth.enable.userAgentAuthWhite:false must be added to application.properties , which disables the whitelist check for the header User-Agent: Nacos-Server .

The vulnerable logic resides in com.alibaba.nacos.core.auth.AuthFilter#doFilter . The method contains three conditional branches: (1) a whitelist based on the User‑Agent header, (2) a check of authConfigs.getServerIdentityKey() and authConfigs.getServerIdentityValue() against the request header, and (3) a default rejection.

The second branch is intended to reject mismatched server‑identity values, but due to a logic error it does not return an error when the values differ, allowing the request to continue.

Further down, the filter calls methodsCache.getMethod(req) . If this call returns null , the filter exits early, skipping all authentication logic. The method becomes null when the generated urlKey does not exist in the internal urlLookup map, which occurs if the request path ends with a trailing slash.

By sending a request with a trailing slash (e.g., using curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users/?username=test&password=test' --path-as-is ), the extracted path becomes /nacos/v1/auth/users/ . Because no mapping for this path exists, method == null is true, the filter returns early, and authentication is bypassed. This enables attackers to list users, create new users, and log in with the newly created accounts.

Reproduction steps include:

curl -XGET 'http://127.0.0.1:8848/nacos/v1/auth/users/?pageNo=1&pageSize=9'

which returns the user list without authentication, and:

curl -XPOST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test'

which creates a new user. Subsequent GET requests show the newly added user in the list, confirming the bypass.

The vulnerability affects Nacos version 1.4.1. The recommended mitigation is to upgrade to the hot‑fixed 1.4.1 release where issue #4701 is resolved ( https://github.com/alibaba/nacos/releases/tag/1.4.1 ).