CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-45286
7.2

go-httpbin: How a Trusting API Became an XSS Cannon

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 3, 2026·7 min read·3 visits

PoC Available

Executive Summary (TL;DR)

A Reflected XSS in go-httpbin lets attackers execute JavaScript in a victim's browser by crafting a URL that sets the response `Content-Type` to `text/html` and injects a script payload. The server blindly trusts the user's input, rendering the script and compromising the user's session within the application's domain.

The mccutchen/go-httpbin library, a popular tool for testing HTTP clients, contained a classic but potent Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the `Content-Type` response header via a simple URL parameter, the application could be tricked into serving malicious HTML to users. This turned a harmless testing utility into a weapon for executing arbitrary JavaScript in a victim's browser, demonstrating the timeless lesson that trusting user input for response metadata is a recipe for disaster.

Fix Analysis (1)

Technical Appendix

CVSS Score
7.2/ 10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected Systems

mccutchen/go-httpbin

Affected Versions Detail

Product
Affected Versions
Fixed Version
go-httpbin
mccutchen
< 2.18.02.18.0
AttributeDetail
CWE IDCWE-79
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS v3.0 Score7.2 (Medium)
Attack VectorNetwork
ImpactArbitrary JavaScript execution in user's browser, leading to session hijacking, data theft, and phishing.
Exploit StatusProof-of-Concept Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1059.007JavaScript
Execution
T1190Exploit Public-Facing Application
Initial Access
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Known Exploits & Detection

VulnersPoC URL: /response-headers?Content-Type=text/html&xss=<img/src/onerror=alert('xss')>
VulnersPoC URL: /base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html
Nuclei TemplateDetection logic using a crafted GET request to the /response-headers endpoint.
NucleiDetection Template Available

Vulnerability Timeline

Fix was committed to the main branch.
2025-03-20
GitHub Advisory GHSA-528q-4pgm-wvg2 was published.
2025-03-21
CVE-2025-45286 was published by NVD.
2026-01-02

References & Sources

  • [1]Primary GitHub Advisory (GHSA-528q-4pgm-wvg2)
  • [2]Fix Commit
  • [3]NVD Entry for CVE-2025-45286
  • [4]Patched Release (v2.18.0)

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.