DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-45286: go-httpbin: How a Trusting API Became an XSS Cannon

#security #cve #cybersecurity

go-httpbin: How a Trusting API Became an XSS Cannon

Vulnerability ID: CVE-2025-45286
CVSS Score: 7.2
Published: 2026-01-02

The mccutchen/go-httpbin library, a popular tool for testing HTTP clients, contained a classic but potent Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the Content-Type response header via a simple URL parameter, the application could be tricked into serving malicious HTML to users. This turned a harmless testing utility into a weapon for executing arbitrary JavaScript in a victim's browser, demonstrating the timeless lesson that trusting user input for response metadata is a recipe for disaster.

TL;DR

A Reflected XSS in go-httpbin lets attackers execute JavaScript in a victim's browser by crafting a URL that sets the response Content-Type to text/html and injects a script payload. The server blindly trusts the user's input, rendering the script and compromising the user's session within the application's domain.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Weakness: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS v3.0 Score: 7.2 (Medium)
  • Attack Vector: Network
  • Impact: Arbitrary JavaScript execution in user's browser, leading to session hijacking, data theft, and phishing.
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • mccutchen/go-httpbin
  • go-httpbin: < 2.18.0 (Fixed in: 2.18.0)

Code Analysis

Commit: 0decfd1

fix: prevent reflected XSS in /response-headers endpoint

Exploit Details

  • Vulners: PoC URL: /response-headers?Content-Type=text/html&xss=
  • Vulners: PoC URL: /base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html
  • Nuclei Template: Detection logic using a crafted GET request to the /response-headers endpoint.

Mitigation Strategies

  • Upgrade to the patched version (v2.18.0 or newer).
  • Implement a strict Content-Security-Policy (CSP) to prevent execution of untrusted inline scripts.
  • Use a Web Application Firewall (WAF) to filter for common XSS payloads in URL parameters.
  • Ensure the --unsafe-allow-dangerous-responses flag is NOT used in production environments.

Remediation Steps:

  1. Identify all instances of mccutchen/go-httpbin in your environment.
  2. Update the dependency to version v2.18.0 or later.
  3. Review startup scripts and environment variables to ensure UNSAFE_ALLOW_DANGEROUS_RESPONSES is not set to true.
  4. Deploy and test a Content-Security-Policy header on the application to mitigate the impact of any future XSS flaws.

References

Read the full report for CVE-2025-45286 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)