CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

GHSA-P4F6-H8JJ-VFVF
7.20.06%

go-httpbin: How a Helpful Debugging Tool Became an XSS Playground

Alon Barad
Alon Barad
Software Engineer

Jan 3, 2026·7 min read·2 visits

PoC Available

Executive Summary (TL;DR)

A reflected XSS in go-httpbin's `/response-headers` and `/base64` endpoints lets attackers execute JavaScript in a victim's browser. The vulnerability stems from letting the user control both the `Content-Type` header and the response body content without proper escaping. Upgrade to version `v2.18.0` or later to fix it.

The mccutchen/go-httpbin framework, a popular tool for inspecting HTTP requests, contained a classic Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the `Content-Type` response header and reflect unescaped payloads in the response body, the `/response-headers` and `/base64` endpoints could be turned against users. This flaw allowed for arbitrary JavaScript execution in the context of a victim's browser, leading to session hijacking, data theft, and other client-side attacks.

Official Patches

GitHubFix commit
GitHubPatched release v2.18.0

Fix Analysis (1)

Technical Appendix

CVSS Score
7.2/ 10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Probability
0.06%

Affected Systems

mccutchen/go-httpbin

Affected Versions Detail

Product
Affected Versions
Fixed Version
go-httpbin
mccutchen
< 2.18.02.18.0
AttributeDetail
CWE IDCWE-79
CWE NameImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Attack VectorNetwork
CVSS 3.0 Score7.2 (High)
ImpactArbitrary JavaScript execution in victim's browser, leading to session hijacking and data theft.
Exploit StatusProof-of-Concept Available
KEV StatusNot listed in CISA KEV

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007JavaScript
Execution
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Known Exploits & Detection

PoC (URL)Triggers XSS via the /response-headers endpoint by setting Content-Type to text/html and reflecting an image tag with an onerror event.
PoC (URL)Triggers XSS via the /base64 endpoint by decoding a base64 payload and rendering it as HTML.
NucleiDetection Template Available

Vulnerability Timeline

Fix was committed by the developer.
2025-03-20
GitHub Security Advisory GHSA-528q-4pgm-wvg2 published.
2025-03-21
CVE-2025-45286 was formally published in the NVD.
2026-01-02

References & Sources

  • [1]GitHub Advisory: GHSA-528q-4pgm-wvg2
  • [2]NVD Entry: CVE-2025-45286
  • [3]OSV.dev Entry: GHSA-528q-4pgm-wvg2
Related Vulnerabilities
GHSA-p4f6-h8jj-vfvfCVE-2025-45286

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.