CVE-2022-0088 – CVE-2022-0088 is a Cross-Site Request Forgery (... (How to Fix)

Q: What is the severity of CVE-2022-0088?

CVE-2022-0088 has a CVSS score of 7.4 (HIGH). CVE-2022-0088 is a Cross-Site Request Forgery (CSRF) vulnerability in YOURLS URL shortener software versions prior to 1.8.3. This allows attackers to trick authenticated administrators into performing unintended actions by visiting malicious web pages. All YOURLS installations with admin access are affected.

📋 TL;DR

CVE-2022-0088 is a Cross-Site Request Forgery (CSRF) vulnerability in YOURLS URL shortener software versions prior to 1.8.3. This allows attackers to trick authenticated administrators into performing unintended actions by visiting malicious web pages. All YOURLS installations with admin access are affected.

💻 Affected Systems

Products:

YOURLS (Your Own URL Shortener)

Versions: All versions prior to 1.8.3

Operating Systems: All operating systems running YOURLS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with admin access enabled. The vulnerability is in the admin interface CSRF protection.

📦 What is this software?

Yourls by Yourls

View all CVEs affecting Yourls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of the YOURLS instance through admin account compromise, allowing attackers to modify all URLs, change settings, or delete the installation.

🟠

Likely Case

Unauthorized URL creation, modification, or deletion by tricking an admin into clicking a malicious link while logged into YOURLS.

🟢

If Mitigated

No impact if proper CSRF tokens are implemented and validated for all state-changing actions.

🌐 Internet-Facing: HIGH - YOURLS is typically deployed as an internet-facing URL shortener service, making it accessible to attackers.

🏢 Internal Only: MEDIUM - Even internal deployments are vulnerable if admins can be tricked into visiting malicious pages.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be logged into YOURLS admin interface and visit a malicious page. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.3

Vendor Advisory: https://github.com/yourls/yourls/commit/1de256d8694b0ec7d4df2ac1d5976d4055e09d59

Restart Required: No

Instructions:

1. Backup your YOURLS installation and database. 2. Download YOURLS 1.8.3 or later from GitHub. 3. Replace all files except user/config.php and user/plugins/. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Add CSRF Protection Headers

all

Implement custom CSRF token validation for all admin actions

Modify YOURLS admin PHP files to include CSRF token checks on all POST requests

Restrict Admin Access

all

Limit admin interface access to specific IP addresses or networks

Add IP restrictions in .htaccess or web server configuration for admin directory

🧯 If You Can't Patch

Implement strict SameSite cookie policies for admin sessions
Require re-authentication for all sensitive admin actions

🔍 How to Verify

Check if Vulnerable:

Check YOURLS version in admin interface or examine includes/version.php file for version number less than 1.8.3

Check Version:

grep "define( 'YOURLS_VERSION'," includes/version.php

Verify Fix Applied:

Verify version is 1.8.3 or higher and test that admin actions require valid CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple failed admin actions from same IP
Admin actions without proper referrer headers
Unexpected URL creations or modifications

Network Indicators:

HTTP POST requests to admin endpoints without CSRF tokens
Requests with mismatched referrer headers

SIEM Query:

source="yourls_logs" AND (action="create" OR action="delete" OR action="update") AND csrf_token=""

📊 Metadata

CVE ID: CVE-2022-0088

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CWE: CWE-352

Published: April 3, 2022

Last Updated: February 16, 2026

🔗 References

https://github.com/yourls/yourls/commit/1de256d8694b0ec7d4df2ac1d5976d4055e09d59 Patch,Third Party Advisory
https://huntr.dev/bounties/d01f0726-1a0f-4575-ae17-4b5319b11c29 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2022-0088.md
https://github.com/yourls/yourls/commit/1de256d8694b0ec7d4df2ac1d5976d4055e09d59 Patch,Third Party Advisory
https://huntr.dev/bounties/d01f0726-1a0f-4575-ae17-4b5319b11c29 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0088, you might also want to check these: