What happened
9Router's proxy middleware left the CLI-tools and MCP bridge API surface completely unauthenticated between versions 0.4.30 and 0.4.37, allowing any remote, unauthenticated attacker to register custom plugins and trigger command execution through the MCP bridge.
Why it matters
9Router sits in front of LLM API traffic as a proxy/router; unauthenticated RCE on this component gives an attacker full control of the host running the AI gateway, including access to all proxied LLM API keys and any downstream tool-execution capability exposed via MCP — a maximal-severity (CVSS 10.0) supply-chain-style compromise of AI infrastructure.
Attack vector
src/proxy.js middleware failed to protect /api/cli-tools/* and /api/mcp/* routes, letting an unauthenticated remote attacker register arbitrary customPlugins via the cowork-settings route and execute commands through the MCP bridge without any authentication.
Affected systems
9Router (AI router & token saver) versions 0.4.30–0.4.37
Mitigation
Upgrade to 9Router 0.4.38 or later; audit for unauthorized plugin registrations. See vendor commit at github.com/decolua/9router.