CVE-2024-29882 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2024-29882?

CVE-2024-29882 has a CVSS score of 7.2 (HIGH). This CVE describes a cross-site scripting (XSS) vulnerability in SRS video server's API endpoint. Attackers can inject malicious JavaScript via the callback parameter, potentially compromising user sessions or performing unauthorized actions. Anyone running vulnerable SRS versions with the API exposed is affected.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in SRS video server's API endpoint. Attackers can inject malicious JavaScript via the callback parameter, potentially compromising user sessions or performing unauthorized actions. Anyone running vulnerable SRS versions with the API exposed is affected.

💻 Affected Systems

Products:

SRS (Simple Realtime Server)

Versions: All versions before 5.0.210 and 6.0.121

Operating Systems: All platforms running SRS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the API endpoint accessible.

📦 What is this software?

Simple Realtime Server by Ossrs

View all CVEs affecting Simple Realtime Server →

Simple Realtime Server by Ossrs

View all CVEs affecting Simple Realtime Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete session hijacking, credential theft, or redirection to malicious sites leading to full system compromise.

🟠

Likely Case

Session hijacking, unauthorized API calls, or defacement of the video server interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited with simple payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.210 or 6.0.121

Vendor Advisory: https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop SRS service. 3. Update to version 5.0.210+ or 6.0.121+. 4. Restart SRS service. 5. Verify the fix.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to filter callback parameter

Modify API endpoint code to validate callback parameter against allowed characters

Disable Vulnerable Endpoint

all

Temporarily disable the affected API endpoint

Comment out or remove the /api/v1/vhosts/vid-* endpoint configuration

🧯 If You Can't Patch

Implement WAF rules to block malicious callback parameters
Restrict access to the API endpoint using network ACLs

🔍 How to Verify

Check if Vulnerable:

Check if SRS version is below 5.0.210 or 6.0.121 and the API endpoint is accessible.

Check Version:

srs -v or check SRS configuration file for version

Verify Fix Applied:

Test the callback parameter with XSS payloads after patching to confirm they are sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual callback parameter values in API logs
JavaScript payloads in request logs

Network Indicators:

HTTP requests with suspicious callback parameters
Unexpected script tags in API responses

SIEM Query:

source="srs" AND (uri="/api/v1/vhosts/vid-*" AND query="*callback=*<script*" OR query="*callback=*javascript:*")

📊 Metadata

CVE ID: CVE-2024-29882

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 28, 2024

Last Updated: January 8, 2026

🔗 References

https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d Patch
https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 Exploit,Vendor Advisory
https://github.com/ossrs/srs/commit/244ce7bc013a0b805274a65132a2980680ba6b9d Patch
https://github.com/ossrs/srs/security/advisories/GHSA-gv9r-qcjc-5hj7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29882, you might also want to check these: