Advisories for Npm/Wetty package

2026

wetty vulnerable to DOM XSS via file-download filename

The wetty client decodes a base64 filename from the file-download escape sequence and interpolates it raw into a Toastify HTML string (escapeMarkup: false). Any output the victim renders - a cat'd file, a tailed log, an SSH MOTD, a curl response - that contains \x1b[5i…:…\x1b[4i runs script in the wetty origin and types attacker-chosen keystrokes into the victim's SSH session.