PT-2025-12486 · Go · Github.Com/Mccutchen/Go-Httpbin+1

Published

2025-03-21

·

Updated

2025-03-21

CVSS v4.0

1.3

Low

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Description

The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.

Affected URLs:

  • /response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E
  • /base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html
  • /base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html

Steps to reproduce:

  1. Visit one of the above mentioned URLs.
  2. XSS window will popup

Suggested fix

  • Allow Only Safe Content-Type Values Or give users option to define whitelisted Content-Type headers

Criticality

The following can be major impacts of the issue:
  • Access to victim's sensitive Personal Identifiable Information.
  • Access to CSRF token
  • Cookie injection
  • Phishing
  • And any other thing Javascript can perform

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-528Q-4PGM-WVG2

Affected Products

Github.Com/Mccutchen/Go-Httpbin
Github.Com/Mccutchen/Go-Httpbin/V2