CVE-2025-15095
Unknown Unknown - Not Provided
Cross-Site Scripting in Postmanlabs httpbin Core.py Remote Exploit

Publication date: 2025-12-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15095
EUVD
EUVD-2025-205412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
postmanlabs httpbin 0.6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript in the context of a victim's browser when they visit the vulnerable endpoint. This can lead to theft of cookies, session tokens, or other sensitive information, and potentially enable further malicious actions such as session hijacking or unauthorized actions performed on behalf of the user. [2, 3]

Executive Summary

CVE-2025-15095 is a reflected Cross-Site Scripting (XSS) vulnerability in the postmanlabs httpbin project, affecting versions up to 0.6.1. It occurs in the /base64 endpoint where user-controllable base64url-encoded input is decoded and directly embedded into the HTML response without proper encoding or sanitization. This allows attackers to inject malicious scripts that execute in the browsers of users who visit the affected endpoint. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the /base64 endpoint of the postmanlabs httpbin server for reflected Cross-Site Scripting (XSS). You can send a crafted GET request with a base64-encoded payload containing a script tag and observe if the response reflects the decoded script without proper encoding or sanitization. For example, using curl or Python requests, send a request to the /base64 endpoint with a base64-encoded string that includes a <script>alert('test')</script> payload. If the script executes or is present in the response HTML unencoded, the vulnerability exists. Example curl command: curl 'http://target-server/base64/PHNjcmlwdD5hbGVydCgndGVzdCcpPC9zY3JpcHQ+' where PHNjcmlwdD5hbGVydCgndGVzdCcpPC9zY3JpcHQ+ is the base64 encoding of <script>alert('test')</script>. [1, 3]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the vulnerable /base64 endpoint or disabling it if possible. Since the project has not provided an official fix, consider using alternative products or services that do not have this vulnerability. Additionally, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the /base64 endpoint. If you maintain the code, apply proper output encoding or sanitization on the decoded base64 content before embedding it in the HTML response to prevent script execution. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart