CVE-2025-45286
BaseFortify
Publication date: 2026-01-02
Last updated on: 2026-01-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| httpbingo | go-httpbin | to 2.18.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the go-httpbin framework versions prior to 2.18.0. It occurs because the application allows attackers to control the HTTP Response Content-Type header via GET parameters without validation. By crafting malicious URLs, attackers can inject and execute arbitrary JavaScript or HTML in the victim's browser, leading to potential malicious actions such as stealing sensitive information or performing phishing attacks. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to execution of arbitrary JavaScript in a victim's browser. This can result in theft of sensitive personal identifiable information (PII), access to CSRF tokens, cookie injection, phishing attacks, and other malicious actions that can compromise user security and privacy. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected go-httpbin server for reflected Cross-Site Scripting (XSS) via crafted URLs that manipulate the Content-Type header. Example URLs to test include: `/response-headers?Content-Type=text/html&xss=<img/src/onerror=alert('xss')>`, `/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html`, and `/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html`. You can use curl commands to test these endpoints, for example: `curl -i 'http://yourserver/response-headers?Content-Type=text/html&xss=<img/src/onerror=alert(1)>'` and observe if the response reflects the injected script without sanitization. If the script executes in a browser or the response contains the injected payload interpreted as HTML, the vulnerability is present. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or whitelisting acceptable Content-Type header values to safe types within the go-httpbin application. Providing users with an option to define allowed Content-Type headers can prevent injection of malicious content types. Upgrading the go-httpbin framework to version 2.18.0 or later, where this vulnerability is fixed, is strongly recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to execute arbitrary scripts in users' browsers, potentially leading to theft of sensitive personal identifiable information (PII), access to CSRF tokens, cookie injection, and phishing attacks. Such unauthorized access and exposure of PII can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches. [1, 2]