Executive Summary

This vulnerability exists in Kestra, an open-source event-driven orchestration platform, in versions up to and including 1.3.3. It involves the rendering of user-supplied flow YAML metadata fields such as description, inputs[].displayName, and inputs[].description through the Markdown.vue component with html enabled. The rendered HTML is injected into the DOM using Vue's v-html directive without any sanitization, allowing a flow author to embed arbitrary JavaScript code. This malicious JavaScript executes in the browser of any user who views or interacts with the flow, potentially without any user interaction (zero-click).

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to the execution of arbitrary JavaScript in the browsers of users who view or interact with the affected flows. This can result in unauthorized actions such as data theft, session hijacking, or other malicious activities performed in the context of the user's browser session. Because the attack can occur with minimal user interaction, it increases the risk of compromise.

Useful 0 Not Useful 0

Mitigation Strategies

As of the time of publication, it is unclear if a patch is available for this vulnerability.

Given the nature of the vulnerability—arbitrary JavaScript execution via unsanitized user-supplied YAML metadata fields—immediate mitigation steps include restricting or reviewing user-supplied flow metadata fields such as description, inputs[].displayName, and inputs[].description before rendering.

Additionally, limiting user privileges to reduce the risk of exploitation and avoiding viewing or interacting with untrusted flows can help mitigate risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary JavaScript execution in the browser of any user who views or interacts with the affected flow, potentially leading to unauthorized access or manipulation of sensitive data.

Such unauthorized code execution could compromise confidentiality and integrity of user data, which may impact compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the flow YAML metadata fields—specifically the description, inputs[].displayName, and inputs[].description fields—for embedded malicious JavaScript or HTML payloads. Since the vulnerability arises from unsanitized HTML rendering in these fields, searching for suspicious script tags or event handlers (e.g., onerror, onload) within these fields is key.

On the system or network level, detection involves reviewing the flow YAML files for suspicious content and monitoring user interactions with the Kestra UI components that render these fields.

Suggested commands to detect potential exploitation or presence of malicious payloads include:

• Use grep or similar tools to search for suspicious HTML or JavaScript in flow YAML files, for example:
• grep -E '<script|onerror=|onload=' path/to/flows/*.yaml
• Review logs or network traffic for unusual API calls or session anomalies that might indicate session hijacking attempts.
• Use browser developer tools to inspect the DOM when interacting with the Kestra UI, looking for unexpected script execution or injected HTML in the affected components (InputsForm.vue, Flows.vue, MarkdownTooltip.vue, LowCodeEditor.vue, FlowTriggers.vue).

Since the vulnerability requires viewing or interacting with the flow, monitoring user activity and validating the integrity of flow metadata before deployment is recommended.

Useful 0 Not Useful 0