CVE-2025-45286: Reflected Cross-Site Scripting (XSS) in go-httpbin
Vulnerability ID: GHSA-528Q-4PGM-WVG2
CVSS Score: 6.1
Published: 2025-03-21
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in mccutchen/go-httpbin, a Go implementation of the popular httpbin service. The vulnerability stems from the improper handling of user-controlled input in the /response-headers and /base64 endpoints. Specifically, the application allows users to define the Content-Type header via query parameters while simultaneously reflecting unsanitized input in the response body. This combination allows an attacker to force the browser to interpret arbitrary data—such as malicious JavaScript—as executable code. Successful exploitation requires user interaction, typically achieved via phishing or social engineering, and can lead to session hijacking or unauthorized actions within the victim's browser context.
TL;DR
CVE-2025-45286 is a medium-severity XSS vulnerability in go-httpbin versions prior to v2.18.0. Attackers can execute arbitrary JavaScript in a victim's browser by crafting links to the /response-headers or /base64 endpoints that manipulate the Content-Type header. The fix involves strictly whitelisting safe content types and escaping output when non-safe types are requested.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 6.1
- EPSS Score: 0.01%
- Impact: Moderate (XSS)
- Exploit Status: PoC Available
- KEV Listed: No
Affected Systems
- mccutchen/go-httpbin prior to v2.18.0
- httpbingo:go-httpbin deployments
-
go-httpbin: < 2.18.0 (Fixed in:
2.18.0)
Code Analysis
Commit: 0decfd1
Fixed reflected XSS by escaping responses with unsafe content types
func (h *HTTPBin) ResponseHeaders(w http.ResponseWriter, r *http.Request) {
- mustMarshalJSON(w, args)
+ if !isSafeContentType(contentType) {
+ // escape logic...
+ }
Exploit Details
- GitHub Security Advisory: Official advisory containing PoC URLs for /response-headers and /base64 endpoints
Mitigation Strategies
- Input Validation
- Output Encoding
- Defense in Depth
Remediation Steps:
- Update
mccutchen/go-httpbinto version v2.18.0 or later. - Verify that the environment variable
UNSAFE_ALLOW_DANGEROUS_RESPONSESis NOT set to true in production. - If using a containerized deployment, pull the latest image tag corresponding to v2.18.0+.
- Review WAF logs for attempts to manipulate
Content-Typevia query parameters.
References
Read the full report for GHSA-528Q-4PGM-WVG2 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)