Skip to content

security: health and version endpoints expose PID, Node version, and internal config #152

New issue
New issue
Open
Open
security: health and version endpoints expose PID, Node version, and internal config#152
Labels
bugSomething isn't workingsecuritySecurity vulnerability or concern
@paulbreuler

Description

@paulbreuler
paulbreuler
opened on Mar 2, 2026

Severity: High

The unauthenticated `/health` and `/version` endpoints expose internal server details that provide unnecessary attack surface.

Current response

```json
// GET /health
{"status":"ok","sessions":0,"uptime":4,"pid":84710,"sessionTimeoutMs":1800000,"version":"3.4.0","name":"@sudosandwich/limps"}

// GET /version
{"name":"@sudosandwich/limps","version":"3.4.0","nodeVersion":"v25.0.0"}
```

Issues

  • `pid` — exposes the server process ID, useful for process-targeting attacks
  • `nodeVersion` — reveals the exact runtime version, enabling version-targeted exploits
  • `sessionTimeoutMs` — leaks internal configuration

Fix

Remove sensitive fields from the public responses:

```typescript
// /health
{ status: 'ok', sessions: activeSessionCount, uptime: Math.floor(process.uptime()) }

// /version
{ name: pkg.name, version: pkg.version }
```

Move detailed diagnostics (pid, config values, node version) to a separate `/admin/status` endpoint gated behind a configured secret or local-only access check.

Files to modify

  • `src/server-http.ts` — strip `pid`, `sessionTimeoutMs` from health response
  • Health and version handler — strip `nodeVersion` from version response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecuritySecurity vulnerability or concern

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions