CVE-2025-45286
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-02

Last updated on: 2026-01-07

Assigner: MITRE

Description
A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-45286
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
httpbingo go-httpbin to 2.18.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to execute arbitrary scripts in users' browsers, potentially leading to theft of sensitive personal identifiable information (PII), access to CSRF tokens, cookie injection, and phishing attacks. Such unauthorized access and exposure of PII can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches. [1, 2]

Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the go-httpbin framework versions prior to 2.18.0. It occurs because the application allows attackers to control the HTTP Response Content-Type header via GET parameters without validation. By crafting malicious URLs, attackers can inject and execute arbitrary JavaScript or HTML in the victim's browser, leading to potential malicious actions such as stealing sensitive information or performing phishing attacks. [1, 2]

Impact Analysis

Exploitation of this vulnerability can lead to execution of arbitrary JavaScript in a victim's browser. This can result in theft of sensitive personal identifiable information (PII), access to CSRF tokens, cookie injection, phishing attacks, and other malicious actions that can compromise user security and privacy. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the affected go-httpbin server for reflected Cross-Site Scripting (XSS) via crafted URLs that manipulate the Content-Type header. Example URLs to test include: `/response-headers?Content-Type=text/html&xss=<img/src/onerror=alert('xss')>`, `/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html`, and `/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html`. You can use curl commands to test these endpoints, for example: `curl -i 'http://yourserver/response-headers?Content-Type=text/html&xss=<img/src/onerror=alert(1)>'` and observe if the response reflects the injected script without sanitization. If the script executes in a browser or the response contains the injected payload interpreted as HTML, the vulnerability is present. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting or whitelisting acceptable Content-Type header values to safe types within the go-httpbin application. Providing users with an option to define allowed Content-Type headers can prevent injection of malicious content types. Upgrading the go-httpbin framework to version 2.18.0 or later, where this vulnerability is fixed, is strongly recommended. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-45286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart