go-httpbin: How a Helpful Debugging Tool Became an XSS Playground
Jan 3, 2026·7 min read·1 visit
Executive Summary (TL;DR)
A reflected XSS in go-httpbin's `/response-headers` and `/base64` endpoints lets attackers execute JavaScript in a victim's browser. The vulnerability stems from letting the user control both the `Content-Type` header and the response body content without proper escaping. Upgrade to version `v2.18.0` or later to fix it.
The mccutchen/go-httpbin framework, a popular tool for inspecting HTTP requests, contained a classic Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the `Content-Type` response header and reflect unescaped payloads in the response body, the `/response-headers` and `/base64` endpoints could be turned against users. This flaw allowed for arbitrary JavaScript execution in the context of a victim's browser, leading to session hijacking, data theft, and other client-side attacks.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
go-httpbin mccutchen | < 2.18.0 | 2.18.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| CWE Name | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| Attack Vector | Network |
| CVSS 3.0 Score | 7.2 (High) |
| Impact | Arbitrary JavaScript execution in victim's browser, leading to session hijacking and data theft. |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not listed in CISA KEV |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.