go-httpbin: How a Trusting API Became an XSS Cannon
Jan 3, 2026·7 min read·1 visit
Executive Summary (TL;DR)
A Reflected XSS in go-httpbin lets attackers execute JavaScript in a victim's browser by crafting a URL that sets the response `Content-Type` to `text/html` and injects a script payload. The server blindly trusts the user's input, rendering the script and compromising the user's session within the application's domain.
The mccutchen/go-httpbin library, a popular tool for testing HTTP clients, contained a classic but potent Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the `Content-Type` response header via a simple URL parameter, the application could be tricked into serving malicious HTML to users. This turned a harmless testing utility into a weapon for executing arbitrary JavaScript in a victim's browser, demonstrating the timeless lesson that trusting user input for response metadata is a recipe for disaster.
Fix Analysis (1)
Technical Appendix
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
go-httpbin mccutchen | < 2.18.0 | 2.18.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Weakness | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CVSS v3.0 Score | 7.2 (Medium) |
| Attack Vector | Network |
| Impact | Arbitrary JavaScript execution in user's browser, leading to session hijacking, data theft, and phishing. |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.