GHSA-v7qw-hx66-4w9x: Stored Cross-Site Scripting (XSS) in NetBox Data Flows Plugin

The netbox-data-flows plugin extends NetBox, an infrastructure resource modeling tool, to support the documentation of network data flows. This vulnerability represents a classic Stored Cross-Site Scripting (CWE-79) weakness within the administrative interface of this plugin. The vulnerability allows authenticated users with relatively low privileges to inject persistent malicious payloads into the system database.

The attack surface is exposed through the ObjectAlias management view. Users with permissions to create or modify ObjectAlias entities can input arbitrary HTML and JavaScript into the alias name field. Because the application fails to neutralize this input before persisting it, the payload is stored directly in the underlying database without sanitization.

When other users access the DataFlow table views, the application retrieves these malicious alias names and renders them as part of the HTML document. This execution occurs within the context of the victim's browser session, granting the attacker access to the victim's NetBox session state, CSRF tokens, and application interface.

The root cause of this vulnerability lies in the improper use of Django's mark_safe function combined with Python's formatted string literals (f-strings). Django's template engine includes automatic HTML escaping by default to prevent XSS. However, developers can explicitly disable this protection for specific strings by wrapping them in the mark_safe() utility.

In netbox_data_flows/utils/helpers.py, the object_list_to_string function is responsible for rendering custom table columns. The function constructs HTML anchor tags by iterating over a list of objects. It uses an f-string to interpolate the object's URL and its string representation directly into an HTML string: f'<a href="{o.get_absolute_url()}">{o}</a>'.

When the {o} placeholder is evaluated, Python implicitly calls the __str__ method of the ObjectAlias object, returning the user-controlled alias name. Because this entirely unescaped string is immediately passed into mark_safe(), Django trusts the resulting HTML snippet completely. The template engine renders the unescaped user input verbatim, executing any embedded JavaScript in the process.

An analysis of the vulnerable object_list_to_string function reveals the exact mechanism of the flaw. The developer intended to return a comma-separated list of active hyperlinks, but prioritized convenience over security by bypassing the framework's output encoding.

# Vulnerable implementation in netbox_data_flows/utils/helpers.py
from django.utils.safestring import mark_safe
 
def object_list_to_string(objects, separator=", "):
    # The variable 'o' expands to the unescaped string representation of the object
    return mark_safe(
        separator.join(f'<a href="{o.get_absolute_url()}">{o}</a>' for o in objects)
    )

The fundamental error is interpolating raw variables into an HTML context before applying output encoding. The correct approach in Django requires either escaping the variable explicitly before string interpolation, or utilizing django.utils.html.format_html(), which safely handles argument escaping while constructing HTML structures.

> [!NOTE] > Using format_html instead of mark_safe with f-strings is a crucial security pattern in Django. format_html applies escaping to its arguments before inserting them into the template string, effectively mitigating this class of XSS vulnerability.

Exploitation of this vulnerability requires an attacker to possess active credentials to the NetBox instance, specifically with permissions to manage ObjectAlias and DataFlow records. The attack proceeds in distinct phases: payload injection, binding, and execution.

First, the attacker navigates to the ObjectAlias creation interface and injects a standard XSS vector into the name field. A viable proof-of-concept payload utilizes the <img> tag with an intentional error to trigger execution: <img src=x onerror=alert(document.domain)>. The application accepts this input and stores it in the database.

Next, the attacker must ensure the payload is rendered in a commonly viewed area. They create or modify a DataFlow record, assigning the malicious ObjectAlias as either a source or destination. This binds the poisoned data to the primary table view.

Finally, the payload executes passively. When a victim (such as a NetBox administrator) loads the Data Flow list page or any model tab rendering the DataFlowTable, the application processes the object_list_to_string function. The browser parses the resulting HTML, encounters the malicious <img> tag, fails to load the nonexistent source x, and immediately executes the JavaScript defined in the onerror handler.

The impact of this vulnerability is designated as High due to the context in which NetBox operates. NetBox functions as a central source of truth for network infrastructure, often containing sensitive topologies, device credentials, and configuration states. Exploitation leverages the implicit trust boundaries of the application.

The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N (8.7). The scope change (S:C) reflects the fact that an attacker with low privileges can execute actions in the security context of a high-privilege victim. User interaction (UI:R) is strictly required, as the victim must actively navigate to the poisoned page.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session. This capability enables the extraction of session identifiers, CSRF tokens, and sensitive data visible within the NetBox interface. More critically, an attacker can script the victim's browser to silently issue state-changing administrative API requests in the background, effectively elevating their privileges and altering infrastructure records without direct authorization.

The primary remediation strategy is to upgrade the netbox-data-flows package to version 1.5.1 or later. This release addresses the vulnerability by modifying the custom table column rendering logic to properly encode user input before marking the resulting string as safe for HTML rendering.

Administrators should verify the installed package version using the pip show netbox-data-flows command within the NetBox Python environment. If the version is prior to 1.5.1, an immediate update should be scheduled. Following the upgrade, the NetBox service must be restarted to ensure the new plugin code is loaded into memory.

As a proactive measure, security teams can audit existing ObjectAlias records in the database for potential indicators of compromise. Database queries or API scripts should search the name field for common HTML tags (e.g., <script>, <img>, <iframe>) and event handlers (e.g., onerror, onload). Identifying such patterns may indicate attempted or successful exploitation prior to patching.