CVE-2026-54163: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
secure_headers builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders (build_sandbox_list_directive, build_media_type_list_directive, build_report_to_directive) interpolate caller-supplied strings into that value without scrubbing ;, \r, or \n.
When an application forwards untrusted input into SecureHeaders.override_content_security_policy_directives (or append_…) for :sandbox, :plugin_types, or :report_to, an attacker can embed a literal ; and inject an arbitrary CSP directive into the header value. Because :sandbox and :plugin_types both sort alphabetically before :script_src in BODY_DIRECTIVES, the injected script-src lands earlier in the header and wins under the CSP first-occurrence rule, defeating the application’s real script-src. End result: an 'unsafe-inline' * policy is forced for inline <script> despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.
An existing ;/\n scrub is already present in the source-list builder (build_source_list_directive), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-54163 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →