GHSA-528q-4pgm-wvg2: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

March 21, 2025

The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.

References

github.com/advisories/GHSA-528q-4pgm-wvg2
github.com/mccutchen/go-httpbin
github.com/mccutchen/go-httpbin/commit/0decfd1a2e88d85ca6bfb8a92421653f647cbc04
github.com/mccutchen/go-httpbin/releases/tag/v2.18.0
github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2

Code Behaviors & Features

Detect and mitigate GHSA-528q-4pgm-wvg2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →