Login Sign Up

CVE-2024-53274

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This reflected cross-site scripting vulnerability in Habitica allows attackers to execute arbitrary JavaScript in victims' browsers by manipulating the 'redirectTo' parameter. Users of Habitica versions before 5.28.5 are affected. The attack occurs when victims click malicious links containing the crafted parameter.

💻 Affected Systems

Products:
  • Habitica
Versions: All versions prior to 5.28.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the register function of home.vue component.

📦 What is this software?

Habitica by Habitica

View all CVEs affecting Habitica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals session cookies, performs account takeover, and manipulates user data or habits in Habitica.

🟠

Likely Case

Attacker steals session tokens to impersonate users, potentially accessing personal habit data and account information.

🟢

If Mitigated

With proper input validation and output encoding, the malicious script would be neutralized before execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires user interaction (clicking malicious link) but exploitation is straightforward once the malicious URL is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.28.5

Vendor Advisory: https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf

Restart Required: Yes

Instructions:

1. Update Habitica to version 5.28.5 or later. 2. Restart the application server. 3. Verify the fix by checking the commit hash includes the sanitization fix.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject malicious redirectTo parameters containing script tags or JavaScript.

Implement regex filter: /^[a-zA-Z0-9\/\?\=\&\-\.\_\~\%\+]*$/ for redirectTo parameter

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) rule to block requests containing suspicious redirectTo parameters with script tags or JavaScript.
  • Educate users to avoid clicking untrusted links and implement Content Security Policy (CSP) headers to restrict script execution.

🔍 How to Verify

Check if Vulnerable:

Test by accessing register endpoint with redirectTo parameter containing <script>alert('XSS')</script> and check if script executes.

Check Version:

Check package.json or application version endpoint for Habitica version number.

Verify Fix Applied:

After patching, test the same payload; it should be properly sanitized and not execute.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to register endpoint with redirectTo parameter containing script tags or JavaScript code
  • Unusual redirect patterns in access logs

Network Indicators:

  • Outbound connections to suspicious domains following redirects from Habitica
  • Unusual POST/GET parameters in web traffic

SIEM Query:

source="web_logs" AND uri="/register" AND (redirectTo CONTAINS "<script>" OR redirectTo CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-53274
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: December 12, 2024
Last Updated: September 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53274, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)