DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CWV4-H3J5-W3CF: GHSA-CWV4-H3J5-W3CF: Stored and Reflected Cross-Site Scripting in rama's Directory Listing Component

GHSA-CWV4-H3J5-W3CF: Stored and Reflected Cross-Site Scripting in rama's Directory Listing Component

Vulnerability ID: GHSA-CWV4-H3J5-W3CF
CVSS Score: 3.7
Published: 2026-07-07

A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.

TL;DR

Unescaped directory rendering in the Rust library 'rama' (< 0.3.0-rc.1) allows arbitrary stored and reflected XSS when dynamic file index pages are enabled.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-116
  • Attack Vector: Local (with network implications depending on architecture)
  • CVSS v3.1 Score: 3.7 (Advisory Official) / 6.5 (Reporter Suggested)
  • Impact: Stored & Reflected Cross-Site Scripting (XSS)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed
  • Component: rama-http/src/service/fs/serve_dir/open_file.rs

Affected Systems

  • rama
  • rama-http
  • rama: < 0.3.0-rc.1 (Fixed in: 0.3.0-rc.1)

Code Analysis

Commit: 89ddff5

Refactored HTML output and directory serving logic to use safe macro-based auto-escaping engines and percent-encode URI strings.

Mitigation Strategies

  • Upgrade 'rama' to version 0.3.0-rc.1 or higher.
  • Disable dynamic HTML directory listing by setting DirectoryServeMode::NotFound.
  • Sanitize uploaded filenames at the application boundary to reject HTML control characters.

Remediation Steps:

  1. Open your Cargo.toml file.
  2. Find the 'rama' dependency and update the version specifier to '0.3.0-rc.1' or later.
  3. Run 'cargo update' to apply changes.
  4. If immediate upgrade is impossible, modify your ServeDir initialization to use DirectoryServeMode::NotFound.

References


Read the full report for GHSA-CWV4-H3J5-W3CF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)