PT-2026-30391 · Npm · @Grackle-Ai/Server

Published

2026-03-25

·

Updated

2026-03-25

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Impact

The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.
While the current XSS attack surface is small (React-markdown is configured safely, no dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.
Affected code:
  • packages/server/src/index.ts — all res.writeHead() calls only set Content-Type, with no security headers

Patches

0.70.4
Fix: Add security headers to all HTML/API responses:
typescript
res.writeHead(200, {
 "Content-Type": contentType,
 "Content-Security-Policy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:",
 "X-Frame-Options": "DENY",
 "X-Content-Type-Options": "nosniff"
});

Workarounds

Use a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.

References

  • CWE-693: Protection Mechanism Failure
  • OWASP: HTTP Security Response Headers
  • File: packages/server/src/index.ts

Fix

XSS

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-693

Related Identifiers

GHSA-3MJM-X6GW-2X42

Affected Products

@Grackle-Ai/Server