CVE-2025-54414
BaseFortify
Publication date: 2025-07-26
Last updated on: 2025-07-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| techarohq | anubis | 1.21.2 |
| techarohq | anubis | 1.21.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54414 is a vulnerability in the Anubis Web AI Firewall Utility where attackers can craft malicious pass-challenge URLs that exploit nonstandard URL schemes like 'javascript:'. When a user interacts with the 'Try again' button on these pages, arbitrary JavaScript code can execute in the user's browser, leading to a cross-site scripting (XSS) attack. This happens because the application improperly handles redirect URLs, allowing execution of unauthorized scripts. The issue was fixed by restricting allowed redirect URLs to only 'http' and 'https' schemes and changing the 'Try again' button to ignore user-supplied redirects, instead redirecting users to the home page. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your browser when interacting with the Anubis pass-challenge feature. This can lead to cross-site scripting (XSS) attacks, which may compromise confidentiality and integrity of your data by stealing sensitive information or performing unauthorized actions on your behalf. The attack requires no privileges but does require user interaction, such as clicking the 'Try again' button. It does not affect system availability but can facilitate phishing attacks and other malicious activities. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting network traffic for requests to the path /.within.website/x/cmd/anubis/api/pass-challenge that include the ?redir= parameter with values starting with nonstandard URL schemes such as 'javascript:'. For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests matching this pattern. A sample tcpdump command to detect such requests might be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/.within.website/x/cmd/anubis/api/pass-challenge' | grep 'redir=javascript:' or similar. Additionally, web server logs can be searched for requests to this route with suspicious redir parameters. Detecting attempts to exploit this vulnerability involves identifying requests with redirect parameters that do not start with 'http', 'https', or local path redirects. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include blocking any requests to the route /.within.website/x/cmd/anubis/api/pass-challenge where the redir parameter is set to values that do not start with 'http', 'https', or are not local path redirects. This can be done via firewall rules, web application firewall (WAF) configurations, or reverse proxy rules. Additionally, upgrading the Anubis software to version 1.21.3 or later is strongly recommended, as this version contains the complete fix that restricts redirect URLs to safe schemes and modifies the 'Try again' button behavior to prevent execution of arbitrary JavaScript code. Avoid using version 1.21.2 as it contains an incomplete fix. [2, 3]