CVE-2025-45286: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type
(updated )
The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.
References
- github.com/advisories/GHSA-528q-4pgm-wvg2
- github.com/mccutchen/go-httpbin
- github.com/mccutchen/go-httpbin/commit/0decfd1a2e88d85ca6bfb8a92421653f647cbc04
- github.com/mccutchen/go-httpbin/releases/tag/v2.18.0
- github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2
- nvd.nist.gov/vuln/detail/CVE-2025-45286
Code Behaviors & Features
Detect and mitigate CVE-2025-45286 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →