N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cf57-c578-7jvv

EPSS Score

CWE

CWE-79

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cf57-c578-7jvv

GHSA-cf57-c578-7jvv: Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Summary

When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases.

GET https://example.com/.within.website/?redir=javascript:alert() responds with Location: javascript:alert().

Impact

Anybody with a subrequest authentication seems affected. Using javascript: URLs will probably be blocked by most modern browsers, but using custom protocols for third-party applications might still trigger dangerous operations.

Note

This was originally reported by @mbiesiad against Weblate.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-cf57-c578-7jvv

GHSA-cf57-c578-7jvv:

N/A

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cf57-c578-7jvv

EPSS Score

CWE

CWE-79

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/TecharoHQ/anubis	go	< 1.23.0	1.23.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the lack of input validation for redirect URLs in Anubis's subrequest authentication mode. The analysis of the patch commit 7ed1753fcced351c81961bf520a7bfb2caac6e88 reveals modifications in lib/http.go that address this issue. Two functions were identified as vulnerable:

Server.constructRedirectURL: This function constructs a redirect URL based on X-Forwarded-* headers. Before the patch, it did not validate the X-Forwarded-Proto header, allowing schemes like javascript:. The patch introduces a validation to only allow http and https protocols.
Server.ServeHTTPNext: This function handles the /.within.website/ endpoint and processes the redir query parameter. The original code used url.Parse, which is too permissive. The patch replaces it with url.ParseRequestURI and adds explicit scheme validation to prevent schemes like javascript:, data:, etc.

Both functions are part of the Server struct and are directly involved in handling and constructing redirect URLs. Exploitation would involve a user clicking a crafted link that triggers the subrequest authentication flow with a malicious redir parameter or specially crafted X-Forwarded-Proto header, potentially leading to XSS.

Vulnerable functions

Server.constructRedirectURL

lib/http.go

The function `constructRedirectURL` was vulnerable to an open redirect. It constructed a redirect URL using the `X-Forwarded-Proto` header without proper validation. An attacker could provide a malicious protocol like `javascript` in the `X-Forwarded-Proto` header, leading to a cross-site scripting (XSS) vulnerability. The patch adds a check to ensure that the protocol is either `http` or `https`.

Server.ServeHTTPNext

lib/http.go

The function `ServeHTTPNext` was vulnerable to an open redirect. It processed the `redir` parameter from the request URL without validating its scheme. An attacker could provide a URL with a malicious scheme like `javascript:`, leading to a cross-site scripting (XSS) vulnerability. The patch replaces `url.Parse` with the stricter `url.ParseRequestURI` and adds a `switch` statement to explicitly validate and allow only `http`, `https`, and relative URLs.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-cf57-c578-7jvv: Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Summary

Impact

Note

GHSA-cf57-c578-7jvv:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-cf57-c578-7jvv: Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Summary

Impact

Note

Basic Information

Basic Information

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI