CVSS Score: 6.1 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-528q-4pgm-wvg2
A classic tale of a feature becoming a bug. The popular debugging tool go-httpbin allowed users to control both the reflected content and the Content-Type header, creating a trivial path to Cross-Site Scripting (XSS).
go-httpbin < 2.18.0 contains a Reflected XSS vulnerability. By manipulating the 'Content-Type' query parameter on specific endpoints, attackers can force the server to render arbitrary JSON or Base64 input as HTML, executing malicious JavaScript in the victim's browser.
- GHSA ID: GHSA-528q-4pgm-wvg2
- CVSS: 6.1 (Medium)
- CWE: CWE-79 (XSS)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: Required (Phishing)
- go-httpbin < 2.18.0
- go-httpbin: < 2.18.0 (Fixed in:
2.18.0)
- Upgrade go-httpbin to version 2.18.0+
- Audit environment variables to ensure UNSAFE_ALLOW_DANGEROUS_RESPONSES is false
- Implement strict Content-Security-Policy (CSP) headers
- Deploy behind a WAF with XSS filtering rules
Remediation Steps:
- Check the running version of go-httpbin.
- Pull the latest container image:
docker pull mccutchen/go-httpbin:v2.18.0. - Redeploy the service.
- Verify the fix by attempting the PoC URLs; the response should now be escaped or blocked.
Generated by CVEReports - Automated Vulnerability Intelligence