Algernon is a small self-contained pure-Go web server
Algernon, a Go web server, prior to version 1.17.7, configured its SSE event server to bind to `0.0.0.0:5553` by default on Linux/macOS. This meant the server was publicly exposed to the adjacent network, potentially unintendedly, increasing its attack surface.
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.
Algernon users on Linux/macOS running versions prior to 1.17.7 are at moderate risk due to the SSE server being unintentionally exposed to the adjacent network by default.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0
Affected Products
1
References
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability
Impact