CVE-2024-33831
📋 TL;DR
This stored XSS vulnerability in YAPI's Advanced Expectation-Response module allows attackers to inject malicious scripts that execute when users view affected pages. Anyone running YAPI v1.10.2 with this module enabled is vulnerable. Attackers can steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- YAPI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration, and lateral movement within the YAPI platform leading to compromise of API testing infrastructure and potentially connected systems.
Likely Case
Session hijacking, credential theft, and unauthorized actions performed within the YAPI interface by authenticated users.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and input validation/sanitization is enforced at multiple layers.
🎯 Exploit Status
Exploitation requires ability to create or modify expectations/responses in YAPI. Public GitHub issue shows proof-of-concept payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.11.0 or later
Vendor Advisory: https://github.com/YMFE/yapi/issues/2745
Restart Required: Yes
Instructions:
1. Backup your YAPI database and configuration. 2. Update YAPI to version 1.11.0 or later using npm update or by pulling latest code from GitHub repository. 3. Restart the YAPI service. 4. Verify the fix by checking version and testing payload injection.
🔧 Temporary Workarounds
Disable Advanced Expectation-Response Module
allTemporarily disable the vulnerable module if not required for operations
Modify YAPI configuration to disable advanced expectation features or restrict access to these functions
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all body field inputs
- Restrict user permissions to prevent unauthorized users from creating/modifying expectations
🔍 How to Verify
Check if Vulnerable:
Check if running YAPI v1.10.2 and test by attempting to inject <script>alert('XSS')</script> into expectation body fieldsCheck Version:
Check package.json for version or run 'npm list yapi' in YAPI installation directoryVerify Fix Applied:
After updating, attempt the same XSS payload injection and verify it's properly sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual length or pattern in expectation/response body fields
- Multiple failed attempts to inject script tags
- Unexpected JavaScript execution in YAPI interface
Network Indicators:
- Outbound connections to suspicious domains from YAPI server
- Unusual API calls to expectation endpoints
SIEM Query:
source="yapi" AND (body_field CONTAINS "<script>" OR body_field CONTAINS "javascript:")