x/vulndb: potential Go vuln in github.com/TecharoHQ/anubis: GHSA-cf57-c578-7jvv #4086
Description
Advisory GHSA-cf57-c578-7jvv references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/TecharoHQ/anubis |
Description:
Summary
When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases.
GET https://example.com/.within.website/?redir=javascript:alert() responds with Location: javascript:alert().
Impact
Anybody with a subrequest authentication seems affected. Using javascript: URLs will probably be blocked by most modern browsers, but using custom protocols for third-party applications might stil...
References:
- ADVISORY: GHSA-cf57-c578-7jvv
- ADVISORY: GHSA-cf57-c578-7jvv
- FIX: TecharoHQ/anubis@7ed1753
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/TecharoHQ/anubis
versions:
- fixed: 1.23.0
vulnerable_at: 1.23.0-pre2
summary: |-
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth
mode in github.com/TecharoHQ/anubis
ghsas:
- GHSA-cf57-c578-7jvv
references:
- advisory: https://github.com/TecharoHQ/anubis/security/advisories/GHSA-cf57-c578-7jvv
- advisory: https://github.com/advisories/GHSA-cf57-c578-7jvv
- fix: https://github.com/TecharoHQ/anubis/commit/7ed1753fcced351c81961bf520a7bfb2caac6e88
source:
id: GHSA-cf57-c578-7jvv
created: 2025-10-30T18:01:17.970547758Z
review_status: UNREVIEWED