CVE-2024-25712

Name of the Vulnerable Software and Affected Versions http-swagger versions prior to 1.2.6

Description The issue allows an attacker to perform a denial-of-service (DOS) attack consisting of memory exhaustion on the host system and cross-site scripting (XSS) attacks by uploading malicious files. This is because a file uploaded via httpSwagger.WrapHandler and *webdav.memFile can be accessed later via a GET request.

Recommendations For versions prior to 1.2.6, please upgrade to v1.2.6 to resolve the issue. As a temporary workaround, consider restricting the path prefix to the "GET" method, as shown in the example code that sets up a router with the httpSwagger.Handler restricted to the http.MethodGet.