## High-Severity IDOR Vulnerability in ClusterClient Enables Payload Injection via Predictable Ask IDs A critical vulnerability has been identified in the ClusterClient implementation that allows an attacker with frame-level write access to the cluster-client TCP socket to resolve in-flight asks with attacker-controlled payloads. The flaw stems from the `nextAskId()` generator at lines 82-86 of `src/cluster/ClusterClient.ts`, which produces predictable identifiers using `Date.now()+counter`. This predictability enables malicious actors to inject or substitute responses for pending asynchronous operations, effectively hijacking the ask-response cycle between cluster nodes. The attack surface requires direct frame-level write access to the wire, which can be achieved through several vectors: a man-in-the-middle attack on plaintext `tcp://` connections, a compromised peer within the cluster, or a malicious cluster node positioned between the client's contact point and the intended target. Once an attacker can inject a single frame onto the socket, they can correlate the predictable ask ID pattern and craft responses that the client will accept as legitimate. The `ask()` method registers pending callbacks under these IDs (lines 153-180), and the reply handler (lines 270-300) retrieves them using `pending.get(askId)`, creating a classic Insecure Direct Object Reference (IDOR) pattern. While TLS encryption for cluster transport—available through `TlsTransportSettings`—closes the network-injection attack vector, it does not mitigate risks from a compromised cluster peer that can issue frames legitimately. Organizations relying on ClusterClient should prioritize enabling TLS for all cluster communications and evaluate whether additional integrity checks on ask-response pairs are warranted given their deployment topology. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: security-vulnerability, idor, cluster-client, payload-injection, predictable-ids - **Credibility**: unverified - **Published**: 2026-05-15 05:48:40 - **ID**: 83333 - **URL**: https://whisperx.ai/en/intel/83333