CVE-2022-31149 is a medium-severity vulnerability affecting ActivityWatch, an open-source automated time tracking application. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks, which allow an attacker to bypass authentication mechanisms by spoofing the origin of requests. Specifically, this vulnerability enables an attacker to gain unauthorized full access to the ActivityWatch REST API. DNS rebinding attacks exploit the way browsers enforce same-origin policies by manipulating DNS responses to resolve a domain name to a local IP address (127.0.0.1), thereby tricking the browser into sending requests to local services that are normally inaccessible from the web. Since ActivityWatch exposes a REST API locally, an attacker can leverage this flaw to interact with the API as if they were a trusted local user, bypassing authentication controls (CWE-290). The vulnerability affects all users running vulnerable versions of ActivityWatch prior to 0.12.0b2. The recommended remediation is to upgrade to version 0.12.0b2 or later, which includes a patch to mitigate the DNS rebinding attack vector. As a temporary workaround, blocking DNS lookups that resolve to 127.0.0.1 can reduce exposure by preventing the attacker's domain from resolving to the local loopback address. There are no known exploits in the wild at this time, but the vulnerability presents a significant risk due to the potential for unauthorized access to user activity data and control over the time tracking application.

For European organizations, the impact of this vulnerability depends largely on the extent to which ActivityWatch is deployed within their environments. ActivityWatch is primarily used for personal productivity tracking and may be adopted by individuals or teams within organizations. If exploited, an attacker could gain unauthorized access to sensitive user activity data, potentially exposing confidential information about employee behavior, project timelines, or productivity metrics. Furthermore, unauthorized control over the REST API could allow manipulation or deletion of tracking data, impacting data integrity and availability. In environments where ActivityWatch is integrated with other internal tools or workflows, this could lead to broader operational disruptions. Although the vulnerability requires local network access or a user to visit a malicious website, the ease of exploitation via DNS rebinding makes it a credible threat, especially in organizations with less restrictive network policies or where users frequently access untrusted web content. The confidentiality and integrity of user data are the primary concerns, with availability also potentially affected if the API is manipulated maliciously. Given the medium severity and the nature of the vulnerability, organizations should treat this as a moderate risk that warrants prompt remediation to prevent potential data leakage or operational interference.

1. Upgrade all instances of ActivityWatch to version 0.12.0b2 or later immediately to apply the official patch that mitigates the DNS rebinding vulnerability. 2. Implement network-level controls to block DNS responses that resolve to 127.0.0.1 or other local IP addresses from untrusted domains, effectively preventing DNS rebinding attempts. 3. Configure browser security settings or use browser extensions that can detect and block DNS rebinding attacks, especially for users who run ActivityWatch locally. 4. Educate users about the risks of visiting untrusted websites while running ActivityWatch, as user interaction is required to trigger the attack via malicious web content. 5. Monitor network traffic for suspicious DNS queries or unusual API access patterns to detect potential exploitation attempts. 6. If feasible, isolate ActivityWatch instances within segmented network zones to limit exposure to external web traffic. 7. Review and harden local firewall and host-based security policies to restrict access to the ActivityWatch REST API to trusted processes and users only.