CVE-2025-70093
Arbitrary Code Execution via AJAX Response in OpenSourcePOS
Publication date: 2026-02-13
Last updated on: 2026-02-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenSourcePOS version 3.4.1 and allows attackers to execute arbitrary code by returning a crafted AJAX response.
The issue is related to improper handling of AJAX responses, specifically the Content-Type headers, which can be manipulated to execute malicious code.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code on the affected system, potentially leading to unauthorized access, data manipulation, or disruption of service.
This could compromise the integrity and security of the OpenSourcePOS application and any sensitive data it processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves improper Content-Type headers in AJAX responses in OpenSourcePOS v3.4.1, which allows attackers to execute arbitrary code via crafted AJAX responses.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can monitor AJAX responses from the OpenSourcePOS application and check if the Content-Type header is set correctly to "application/json".'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the issue include using curl or similar tools to inspect AJAX endpoints for their Content-Type headers. For example:'}, {'type': 'list_item', 'content': 'curl -I http://your-opensourcepos-instance/path/to/ajax/endpoint'}, {'type': 'list_item', 'content': 'Look for the Content-Type header in the response headers. If it is missing or not set to "application/json", the system may be vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can use network monitoring tools like Wireshark or browser developer tools to inspect AJAX responses and verify their Content-Type headers.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to ensure that all AJAX responses from OpenSourcePOS set the Content-Type header to "application/json" consistently.'}, {'type': 'paragraph', 'content': 'This can be achieved by applying the fix described in the official pull request #4357, which modifies over 46 instances across 12 controller files to enforce proper JSON response handling.'}, {'type': 'list_item', 'content': 'Update your OpenSourcePOS installation to version 3.4.2 or later where this fix is included.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, manually patch the application by replacing incorrect or missing Content-Type headers in AJAX responses with "application/json" and ensure all AJAX responses use the frameworkβs response methods correctly.'}, {'type': 'paragraph', 'content': 'Testing after applying the fix is important to verify no regressions occur, especially in UI components like category dropdowns.'}] [2]