BestHub
Sign in
Information Security 6 min read

Nacos Permission Bypass Vulnerability and Its Fix

This article explains a permission‑bypass vulnerability in Nacos 1.4.2 caused by a specific User‑Agent header, demonstrates how to reproduce it, and provides step‑by‑step instructions for fixing the issue by upgrading to version 2.1.1 or adjusting configuration files.

Code Ape Tech Column
Code Ape Tech Column
Code Ape Tech Column
Nacos Permission Bypass Vulnerability and Its Fix

Hello everyone, I am Chen.

Nowadays Nacos is widely used as a service registry and configuration center in micro‑service architectures, but as an open‑source project it also contains security vulnerabilities.

This article shares a specific Nacos security issue – a permission‑bypass vulnerability – and how to remediate it.

1. Nacos Permission Bypass Vulnerability

Details can be found on the Nacos official site.

The vulnerability occurs when Nacos has authentication (username/password) enabled, but a request includes the header user-agent: Nacos-Server ; the authentication is bypassed and configuration data can be accessed.

Nacos version affected: 1.4.2

Illustrations:

Access without credentials (403)

Access with credentials (normal)

Access without credentials but with the header (bypassed)

Adding the header user-agent:Nacos-Server indeed bypasses Nacos authentication.

2. Vulnerability Fix

Upgrade to the latest Nacos version:

2.1.1

Download URL: https://nacos.io/zh-cn/docs/quick-start.html

Download link for the zip package: https://github.com/alibaba/nacos/releases/download/2.1.1/nacos-server-2.1.1.zip

Upgrade path: from 1.4.2 to 2.1.1 . Detailed upgrade guide is available at https://nacos.io/zh-cn/docs/2.0.0-upgrading.html

For our environment, note the following steps:

2.1 Modify Nacos configuration file

Edit vi nacos/conf/application.properties

# Line 122
server.tomcat.basedir=file:.

# Line 148
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
These changes are required; otherwise the server will fail to start.

2.2 Modify Nacos database

/* Add column to config_info table */
ALTER TABLE jxbp_nacos.config_info ADD COLUMN encrypted_data_key text NULL COMMENT 'Secret key';

/* Add column to his_config_info table */
ALTER TABLE jxbp_nacos.his_config_info ADD COLUMN encrypted_data_key text NULL COMMENT 'Secret key';

2.3 Test after Nacos restart

Access without credentials but with the header (403)

The vulnerability is no longer exploitable.

Access with credentials and without the header (normal)

Testing shows normal operation.

Note: If you do not wish to upgrade, you can keep using version 1.4.2 and modify the configuration file as follows:

vi nacos/conf/application.properties
# Line 148
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security

After these changes, the service starts correctly.

Hope this guide helps you resolve the issue.

Source: https://sourl.cn/p6KPVz

Final Note (Please Follow)

If this article was helpful, please like, view, share, and bookmark; your support motivates me to keep writing.

ConfigurationNacosvulnerabilitysecurity patchPermission Bypass
Code Ape Tech Column
Written by

Code Ape Tech Column

Former Ant Group P8 engineer, pure technologist, sharing full‑stack Java, job interview and career advice through a column. Site: java-family.cn

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment