The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.
/response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/htmlThe following can be major impacts of the issue:
* Access to victim's sensitive Personal Identifiable Information.
* Access to CSRF token
* Cookie injection
* Phishing
* And any other thing Javascript can perform
| Score | Percentile |
|---|---|
| 0.01% | 2.13% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 1.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-528q-4pgm-wvg2 ↗ |
| CVE | CVE-2025-45286 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/mccutchen/go-httpbin | < 2.18.0 | 2.18.0 | — |
| go | github.com/mccutchen/go-httpbin/v2 | < 2.18.0 | 2.18.0 | — |