GHSA-6mp4-q625-mxjp: Short Links, Long Scripts: Pwning YOURLS via JSONP

CVSS Score: 8.2 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-6mp4-q625-mxjp

Summary

A deep dive into a Reflected Cross-Site Scripting (XSS) vulnerability in the popular YOURLS URL shortener. By exploiting legacy JSONP implementations in the API, attackers can execute arbitrary JavaScript in the context of the administrator's session.

TL;DR

The YOURLS API allows JSONP responses via a callback parameter. Versions prior to 1.10.3 failed to sanitize this parameter, allowing attackers to inject JavaScript payloads directly into the API response. This results in Reflected XSS, potentially compromising admin accounts.

Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• Attack Vector: Network (API)
• CVSS v3: 8.2 (High)
• Impact: Session Hijacking, Redirection Manipulation
• Fix Commit: b1c6100
• Exploit Status: PoC Available

Affected Systems

• YOURLS < 1.10.3
• YOURLS: < 1.10.3 (Fixed in: 1.10.3)

Mitigation

• Upgrade to YOURLS 1.10.3 or later immediately.
• If upgrading is impossible, disable the API or block the callback parameter via WAF/Web Server config.
• Ensure YOURLS_PRIVATE is set to true to reduce the attack surface.

Remediation Steps:

1. Backup your user/config.php file.
2. Download the latest release from the official YOURLS repository.
3. Replace the includes/ directory with the new version.
4. Verify the version number in the admin dashboard.

References

• GHSA-6mp4-q625-mxjp Advisory
• Huntr.com Report

---

Generated by CVEReports - Automated Vulnerability Intelligence