CVE-2025-13803
📋 TL;DR
MediaCrush 1.0.0 and 1.0.1 contain an HTTP header injection vulnerability in the Host header handling component. Attackers can inject malicious scripts via manipulated Host headers, potentially leading to cross-site scripting (XSS) attacks. This affects all MediaCrush deployments running vulnerable versions.
💻 Affected Systems
- MediaCrush
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Cross-site scripting attacks leading to session hijacking, credential theft, or defacement of the MediaCrush interface.
If Mitigated
Proper input validation and output encoding would prevent script execution, limiting impact to header manipulation without code execution.
🎯 Exploit Status
The vulnerability requires only HTTP header manipulation, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or implement workarounds.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock or sanitize Host headers containing script tags or JavaScript syntax
Reverse Proxy Header Sanitization
linuxConfigure reverse proxy (nginx/apache) to validate and sanitize Host headers before reaching MediaCrush
nginx: add 'proxy_set_header Host $http_host;' with validation
apache: use mod_headers to sanitize Host header
🧯 If You Can't Patch
- Isolate MediaCrush behind a reverse proxy with strict Host header validation
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Test by sending HTTP requests with malicious Host headers containing script tags to /mediacrush/paths.py endpointCheck Version:
Check MediaCrush version in configuration files or package manager: 'pip show mediacrush' or check project filesVerify Fix Applied:
Verify that script tags in Host headers are properly sanitized or rejected📡 Detection & Monitoring
Log Indicators:
- HTTP requests with unusual Host headers containing <script>, javascript:, or other script syntax
- Multiple failed requests with manipulated headers
Network Indicators:
- HTTP traffic to MediaCrush with abnormal Host header patterns
- Requests with encoded script payloads in headers
SIEM Query:
source="web_logs" AND (Host CONTAINS "<script>" OR Host CONTAINS "javascript:") AND dest_port=80 OR dest_port=443