ghsa-2gxp-6r36-m97r
Vulnerability from github
Published
2025-07-21 14:08
Modified
2025-07-23 18:41
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Summary
Cadwyn vulnerable to XSS on the docs page
Details

Summary

The version parameter of the /docs endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack.

PoC

  1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/
  2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27

Impact

Refer to this security advisory for an example of the impact of a similar vulnerability that shares the same root cause.

This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack.

A CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Details

The vulnerable code snippet can be found in the 2 functions swagger_dashboard and redoc_dashboard: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413

The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments.

```python async def swagger_dashboard(self, req: Request) -> Response: version = req.query_params.get("version")

    if version:
        root_path = self._extract_root_path(req)
        openapi_url = root_path + f"{self.openapi_url}?version={version}"
        oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url
        if oauth2_redirect_url:
            oauth2_redirect_url = root_path + oauth2_redirect_url
        return get_swagger_ui_html(
            openapi_url=openapi_url,
            title=f"{self.title} - Swagger UI",
            oauth2_redirect_url=oauth2_redirect_url,
            init_oauth=self.swagger_ui_init_oauth,
            swagger_ui_parameters=self.swagger_ui_parameters,
        )
    return self._render_docs_dashboard(req, cast("str", self.docs_url))

```

In this case, the openapi_url variable contains the version which comes from a user supplied query string without encoding or sanitisation. The user controlled injection ends up inside of a string in a <script> tag context: https://github.com/fastapi/fastapi/blob/master/fastapi/openapi/docs.py#L132

python f""" ... const ui = SwaggerUIBundle({{ url: '{openapi_url}', """

By simply injecting a single quote we can escape from the string context and execute JavaScript like so '+alert(document.domain)+'

The resulting HTML sent back from the server contains the following injection:

python const ui = SwaggerUIBundle({ url: '/openapi/flows.json?flows='+alert(document.domain)+'',

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cadwyn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T14:08:40Z",
    "nvd_published_at": "2025-07-21T21:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack.\n\n### PoC\n1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/\n2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27\n\n### Impact\nRefer to this [security advisory](https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v) for an example of the impact of a similar vulnerability that shares the same root cause.\n\nThis XSS would notably allow an attacker to execute JavaScript code on a user\u0027s session for any application based on `Cadwyn` via a one-click attack.\n\nA CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\n\n### Details\nThe vulnerable code snippet can be found in the 2 functions `swagger_dashboard` and `redoc_dashboard`: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413\n\nThe implementation uses the [get_swagger_ui_html](https://fastapi.tiangolo.com/reference/openapi/docs/?h=get_swagger_ui_html#fastapi.openapi.docs.get_swagger_ui_html) function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments.\n\n```python\n    async def swagger_dashboard(self, req: Request) -\u003e Response:\n        version = req.query_params.get(\"version\")\n\n        if version:\n            root_path = self._extract_root_path(req)\n            openapi_url = root_path + f\"{self.openapi_url}?version={version}\"\n            oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url\n            if oauth2_redirect_url:\n                oauth2_redirect_url = root_path + oauth2_redirect_url\n            return get_swagger_ui_html(\n                openapi_url=openapi_url,\n                title=f\"{self.title} - Swagger UI\",\n                oauth2_redirect_url=oauth2_redirect_url,\n                init_oauth=self.swagger_ui_init_oauth,\n                swagger_ui_parameters=self.swagger_ui_parameters,\n            )\n        return self._render_docs_dashboard(req, cast(\"str\", self.docs_url))\n```\n\nIn this case, the `openapi_url` variable contains the version which comes from a user supplied query string without encoding or sanitisation. The user controlled injection ends up inside of a string in a `\u003cscript\u003e` tag context: https://github.com/fastapi/fastapi/blob/master/fastapi/openapi/docs.py#L132\n\n```python\n    f\"\"\"\n    ...\n    const ui = SwaggerUIBundle({{\n        url: \u0027{openapi_url}\u0027,\n    \"\"\"\n```\n\nBy simply injecting a single quote we can escape from the string context and execute JavaScript like so `\u0027+alert(document.domain)+\u0027`\n\nThe resulting HTML sent back from the server contains the following injection:\n\n```python\n  const ui = SwaggerUIBundle({\n        url: \u0027/openapi/flows.json?flows=\u0027+alert(document.domain)+\u0027\u0027,\n```",
  "id": "GHSA-2gxp-6r36-m97r",
  "modified": "2025-07-23T18:41:43Z",
  "published": "2025-07-21T14:08:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cadwyn/PYSEC-2025-71.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zmievsa/cadwyn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zmievsa/cadwyn/blob/5.4.3/CHANGELOG.md#543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cadwyn vulnerable to XSS on the docs page"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.