Miggo Logo

GHSA-cf57-c578-7jvv: Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

N/A

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
10/30/2025
Updated
10/30/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/TecharoHQ/anubisgo< 1.23.01.23.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the lack of input validation for redirect URLs in Anubis's subrequest authentication mode. The analysis of the patch commit 7ed1753fcced351c81961bf520a7bfb2caac6e88 reveals modifications in lib/http.go that address this issue. Two functions were identified as vulnerable:

  1. Server.constructRedirectURL: This function constructs a redirect URL based on X-Forwarded-* headers. Before the patch, it did not validate the X-Forwarded-Proto header, allowing schemes like javascript:. The patch introduces a validation to only allow http and https protocols.

  2. Server.ServeHTTPNext: This function handles the /.within.website/ endpoint and processes the redir query parameter. The original code used url.Parse, which is too permissive. The patch replaces it with url.ParseRequestURI and adds explicit scheme validation to prevent schemes like javascript:, data:, etc.

Both functions are part of the Server struct and are directly involved in handling and constructing redirect URLs. Exploitation would involve a user clicking a crafted link that triggers the subrequest authentication flow with a malicious redir parameter or specially crafted X-Forwarded-Proto header, potentially leading to XSS.

Vulnerable functions

Server.constructRedirectURL
lib/http.go
The function `constructRedirectURL` was vulnerable to an open redirect. It constructed a redirect URL using the `X-Forwarded-Proto` header without proper validation. An attacker could provide a malicious protocol like `javascript` in the `X-Forwarded-Proto` header, leading to a cross-site scripting (XSS) vulnerability. The patch adds a check to ensure that the protocol is either `http` or `https`.
Server.ServeHTTPNext
lib/http.go
The function `ServeHTTPNext` was vulnerable to an open redirect. It processed the `redir` parameter from the request URL without validating its scheme. An attacker could provide a URL with a malicious scheme like `javascript:`, leading to a cross-site scripting (XSS) vulnerability. The patch replaces `url.Parse` with the stricter `url.ParseRequestURI` and adds a `switch` statement to explicitly validate and allow only `http`, `https`, and relative URLs.

WAF Protection Rules

WAF Rule

### Summ*ry W**n usin* su*r*qu*st *ut**nti**tion, *nu*is *i* not p*r*orm v*li**tion o* t** r**ir**t URL *n* r**ir**ts us*r to *ny URL s***m*. W*il* most mo**rn *rows*rs *o not *llow * r**ir**t to `j*v*s*ript:` URLs, it *oul* still tri***r **n**rous

Reasoning

T** vuln*r**ility li*s in t** l**k o* input v*li**tion *or r**ir**t URLs in *nu*is's su*r*qu*st *ut**nti**tion mo**. T** *n*lysis o* t** p*t** *ommit `****************************************` r*v**ls mo*i*i**tions in `li*/*ttp.*o` t**t ***r*ss t*is