A significant security vulnerability has been identified in Microsoft’s recently introduced NLWeb protocol, which was highlighted during the company’s Build event just a few months prior. Marketed as the “HTML for the Agentic Web,” NLWeb aims to provide ChatGPT-like search capabilities across various websites and applications. The discovery of this critical flaw occurs at a pivotal time as Microsoft begins to roll out NLWeb to several customers, including Shopify, Snowflake, and TripAdvisor.
The vulnerability permits remote users to access sensitive files, such as system configuration settings and API keys for OpenAI or Gemini. Alarmingly, this is a classic path traversal vulnerability, making it simple to exploit by accessing a specially crafted URL. Although Microsoft has issued a patch, the incident raises concerns about the effectiveness of the enhanced security measures it has touted in recent initiatives.
Aonan Guan, a senior cloud security engineer at Wyze and one of the researchers who uncovered this flaw alongside Lei Wang, commented, “This case study underscores the necessity of reassessing the implications of long-standing vulnerabilities as we develop new AI-driven systems. These vulnerabilities now have the potential to compromise not only servers but also the underlying intelligence of AI agents.”
The security vulnerability was first reported to Microsoft on May 28, shortly after the protocol’s unveiling. A fix was made available on July 1; however, Microsoft has not assigned a CVE (Common Vulnerabilities and Exposures) identifier to the issue, which is a common industry practice for documenting vulnerabilities. Researchers have been urging Microsoft to provide a CVE, as it would help raise awareness and allow better tracking of the remedy, especially considering NLWeb’s nascent usage.
In a statement, Microsoft spokesperson Ben Hope acknowledged the issue, stating, “This matter was responsibly reported, and we have updated the open-source repository. Microsoft does not utilize the affected code in any of our products. Customers engaging with the repository are automatically safeguarded.”
According to Guan, users of NLWeb are required to implement a new build version to eliminate this flaw; failing to do so leaves any public-facing NLWeb setup open to unauthorized access to .env files, which can contain sensitive API keys.
The implications of this issue extend beyond basic file access. Guan pointed out that leaking an .env file poses significant risks, especially for AI agents. “These files hold API keys for large language models like GPT-4, which serve as the cognitive engine for the agents,” he explained. An attacker gaining access wouldn’t just pilfer credentials; they could compromise the agent’s reasoning and operational capabilities, leading to severe financial repercussions from API misuse or the potential creation of deceptive clones.
Simultaneously, Microsoft is moving forward with the integration of Model Context Protocol (MCP) support into Windows, a move met with caution by security experts who have expressed concerns regarding MCP in recent months. In light of the NLWeb vulnerability, it is paramount for Microsoft to carefully balance the swift rollout of new AI functionalities with maintaining robust security practices.
