AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-5j35-xr4g-vwf4: @grackle-ai/server has a Missing Secure Flag on Session Cookie

lowvulnerability

security

Source: GitHub Advisory DatabaseMarch 25, 2026

Summary

The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.

Solution / Mitigation

Update to version 0.70.5. The fix conditionally adds the `; Secure` attribute to the cookie when the server uses HTTPS or when `--allow-network` is enabled, using this code: `const securePart = isHttps ? "; Secure" : ""; return \`${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}\`;`. As a temporary workaround, do not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy (a security intermediary that handles encrypted connections).

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Affected Vendors

Affected Packages

@grackle-ai/server@<= 0.70.4 (fixed: 0.70.5)

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

First tracked: March 25, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 85%