Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-P4F6-H8JJ-VFVF.md

Created January 28, 2026 11:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/d0bda7f72d96fdf3af60ffeb90c012eb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/d0bda7f72d96fdf3af60ffeb90c012eb to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-P4F6-H8JJ-VFVF: go-httpbin: How a Helpful Debugging Tool Became an XSS Playground - CVE Security Report
Raw
GHSA-P4F6-H8JJ-VFVF.md

GHSA-P4F6-H8JJ-VFVF: go-httpbin: How a Helpful Debugging Tool Became an XSS Playground

CVSS Score: 7.2 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-P4F6-H8JJ-VFVF

Summary

The mccutchen/go-httpbin framework, a popular tool for inspecting HTTP requests, contained a classic Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the Content-Type response header and reflect unescaped payloads in the response body, the /response-headers and /base64 endpoints could be turned against users. This flaw allowed for arbitrary JavaScript execution in the context of a victim's browser, leading to session hijacking, data theft, and other client-side attacks.

TL;DR

A reflected XSS in go-httpbin's /response-headers and /base64 endpoints lets attackers execute JavaScript in a victim's browser. The vulnerability stems from letting the user control both the Content-Type header and the response body content without proper escaping. Upgrade to version v2.18.0 or later to fix it.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CWE Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Attack Vector: Network
  • CVSS 3.0 Score: 7.2 (High)
  • Impact: Arbitrary JavaScript execution in victim's browser, leading to session hijacking and data theft.
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not listed in CISA KEV

Affected Systems

  • mccutchen/go-httpbin
  • go-httpbin: < 2.18.0 (Fixed in: 2.18.0)

Mitigation

  • Upgrade to the patched version of mccutchen/go-httpbin.
  • Avoid using the --unsafe-allow-dangerous-responses flag.
  • Implement a Content Security Policy (CSP) as a defense-in-depth measure.
  • Perform context-aware output encoding on all user-reflected data.

Remediation Steps:

  1. Identify all instances of mccutchen/go-httpbin in your environment.
  2. Upgrade all instances to version v2.18.0 or a newer version.
  3. Review the startup configuration for each instance and remove the -unsafe-allow-dangerous-responses command-line flag or the UNSAFE_ALLOW_DANGEROUS_RESPONSES=true environment variable.
  4. Restart the go-httpbin service to apply the changes.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment