CVE-2026-58371
Received Received - Intake

JSONP Callback Reflection in SeaweedFS

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58371
EUVD
EUVD-2026-40359

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
seaweedfs seaweedfs to 4.30 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58371 is a vulnerability in SeaweedFS versions before 4.30 where the system reflects the callback query parameter directly into JSONP responses without validation. This occurs in the shared writeJson helper function, which serves responses with Content-Type application/javascript but does not validate the callback name, lacks the X-Content-Type-Options: nosniff header, and has no CORS allow-list.

Because of this, unauthenticated endpoints such as /dir/status, /dir/lookup, /cluster/status, /status, and filer directory listings can be accessed cross-origin via a script tag with a chosen callback. This allows a third-party web page to read sensitive information like cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings. Additionally, the missing nosniff header means MIME-sniffing clients might interpret the response as HTML, increasing exploitation risk.

Impact Analysis

This vulnerability can lead to cross-origin information disclosure, allowing attackers to access sensitive internal details of the SeaweedFS cluster without authentication. Attackers can retrieve cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings by exploiting the unvalidated JSONP callback parameter.

Such exposure can facilitate further attacks, including data exfiltration or cross-site scripting (XSS) attacks, by injecting arbitrary JavaScript through the callback parameter. The lack of security headers and CORS restrictions increases the risk of these attacks succeeding.

Detection Guidance

This vulnerability can be detected by checking if your SeaweedFS deployment is running a version prior to 4.30 and if the JSONP callback parameter is reflected in responses from certain unauthenticated endpoints.

You can test the vulnerable endpoints such as /dir/status, /dir/lookup, /cluster/status, /status, and filer directory listings by sending HTTP requests with a callback query parameter and observing if the callback value is reflected verbatim in the response served with Content-Type application/javascript.

For example, you can use curl commands like the following to detect the vulnerability:

  • curl -i 'http://<seaweedfs-host>:<port>/dir/status?callback=alert'
  • curl -i 'http://<seaweedfs-host>:<port>/dir/lookup?callback=alert'
  • curl -i 'http://<seaweedfs-host>:<port>/cluster/status?callback=alert'
  • curl -i 'http://<seaweedfs-host>:<port>/status?callback=alert'
  • curl -i 'http://<seaweedfs-host>:<port>/filer/directory/listing?callback=alert'

If the response body starts with the callback parameter value (e.g., alert) and the Content-Type is application/javascript without the X-Content-Type-Options: nosniff header, your system is likely vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade SeaweedFS to version 4.30 or later, where the vulnerability has been fixed by removing JSONP support and adding the X-Content-Type-Options: nosniff header.

If upgrading immediately is not possible, you should restrict access to the vulnerable endpoints by implementing network-level controls such as firewall rules or IP whitelisting to prevent untrusted cross-origin requests.

Additionally, configuring SeaweedFS with a security.toml file or using the -whiteList option to limit accessible hosts can reduce exposure.

Monitoring and blocking suspicious cross-origin script tag requests targeting the affected endpoints can also help mitigate exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart