How to Exploit and Patch the Nacos Authentication Bypass Vulnerability (v1.2‑v1.4)
This article explains the Nacos authentication bypass vulnerability affecting versions 1.2‑1.4, how attackers can exploit whitelist headers to gain unauthorized access, the widespread exposure revealed by Zoomeye scans, and the official remediation steps including upgrading to v1.4.1 and disabling the UA whitelist.
Impact Scope
Versions: Nacos 1.2 to 1.4. Versions below 1.2 do not have authentication, also need protection.
Vulnerability Details
Because the issue is severe, detailed exploitation steps are omitted to prevent malicious use.
The problem: an internal whitelist mechanism allows bypassing authentication even when auth is enabled, enabling configuration changes and data retrieval.
Normal request without login (no token) returns 403 Forbidden.
By crafting a whitelist request header, attackers can bypass authentication and manipulate Nacos Server information.
The vulnerability is widely exposed; using Zoomeye with query
title:"Nacos"reveals publicly accessible Nacos servers on ports 80/443. Scanning port 8848 would find many more.
Remediation
The official fix is released in version v1.4.1; upgrade promptly.
Enable authentication and disable the original UA whitelist mechanism.
<code>nacos.core.auth.enabled=true
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity=aaa
nacos.core.auth.server.identity.value=bbb
</code>Additionally, avoid exposing such services to the internet and perform security audits.
References
v1.4.1: https://github.com/alibaba/nacos/releases/tag/1.4.1
Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.