Improper Synchronization in 78 Xiaozhi-ESP32 MCP Response Handler

Executive Summary

The vulnerability in 78 xiaozhi-esp32 firmware involves the MCP (Model Context Protocol) response handler broadcasting JSON-RPC responses to all connected WebSocket clients instead of only the client that initiated the request.

This happens because the server correlates responses only by JSON-RPC ID and discards the source WebSocket connection before processing, causing improper synchronization.

As a result, one client can observe or receive responses intended for another client, leading to cross-client data exposure of potentially sensitive information such as device state, camera feeds, or sensor outputs.

The issue is located in the ParseMessage function of the file main/mcp_server.cc and related files, and the exploit is publicly available though difficult to execute.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintended exposure of sensitive data to other clients connected on the same local network.

Attackers or other local clients could intercept or manipulate MCP responses, potentially gaining access to confidential information such as device states, camera feeds, or sensor data.

Such exposure compromises data confidentiality and integrity, which could affect the security and privacy of your device and its communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the MCP (Model Context Protocol) JSON-RPC responses being broadcast to all connected WebSocket clients instead of only the originating client. Detection can focus on monitoring WebSocket traffic on the local network to identify if MCP responses are being sent to multiple clients indiscriminately.

You can use network traffic analysis tools such as Wireshark or tcpdump to capture WebSocket frames and inspect the MCP JSON-RPC responses. Look for repeated or identical MCP response messages being sent to multiple clients.

Example commands to capture WebSocket traffic on the relevant network interface (replace eth0 with your interface):

• tcpdump -i eth0 -w capture.pcap port 80 or port 443
• tshark -r capture.pcap -Y "http.websocket" -V

After capturing, analyze the WebSocket messages to check if MCP responses are broadcast to multiple clients rather than being routed individually.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected 78 xiaozhi-esp32 devices on your network to trusted clients only, as the vulnerability allows local network clients to intercept or manipulate MCP responses.

Since the exploit complexity is high and the fix is pending acceptance in the official pull request, you should monitor the project's repository for updates and apply the patch once it is accepted and released.

In the meantime, consider isolating the devices from untrusted networks and disabling or limiting WebSocket access if possible to reduce exposure.

Once the fix is available, it implements a per-client generation ID system to ensure MCP responses are routed only to the originating client, preventing cross-client data exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes MCP tool results to be broadcast to all connected local WebSocket clients instead of only the originating client, leading to potential exposure of sensitive data such as device state, camera feeds, or sensor outputs to unintended recipients.

This improper data exposure can compromise data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to unauthorized disclosure of sensitive personal or protected health information.

Useful 0 Not Useful 0