CVE-2025-44595
📋 TL;DR
Halo v2.20.17 and earlier contains a cross-site scripting (XSS) vulnerability in the /halo_host/archives/{name} endpoint. This allows attackers to inject malicious scripts that execute in users' browsers when they visit compromised archive pages. All Halo instances running vulnerable versions are affected.
💻 Affected Systems
- Halo
📦 What is this software?
Halo by Halo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware through the compromised Halo instance.
Likely Case
Attackers inject malicious JavaScript to steal user session tokens or credentials, potentially leading to account takeover and unauthorized access to the Halo admin panel.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to benign data display issues.
🎯 Exploit Status
Exploitation requires crafting malicious archive names that trigger XSS when viewed. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.20.18 or later
Vendor Advisory: https://github.com/halo-dev/halo/releases
Restart Required: No
Instructions:
1. Backup your Halo instance. 2. Update to Halo v2.20.18 or later via package manager or manual installation. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize archive name parameters before processing.
Implement regex filtering: /^[a-zA-Z0-9\-_]+$/ for archive names
Output Encoding
allApply proper HTML encoding to archive names before rendering in templates.
Use HTML entity encoding: < for <, > for >, & for &, " for ", ' for '
🧯 If You Can't Patch
- Disable or restrict access to the /halo_host/archives/{name} endpoint via web application firewall (WAF) rules.
- Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check if your Halo version is 2.20.17 or earlier. Attempt to inject basic XSS payloads into archive name parameters and observe if they execute.Check Version:
Check Halo admin panel or run: halo versionVerify Fix Applied:
After updating, test the same XSS payloads to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual archive name parameters containing script tags or JavaScript code
- Multiple failed archive access attempts with suspicious payloads
Network Indicators:
- HTTP requests to /halo_host/archives/ with encoded script tags or JavaScript in parameters
SIEM Query:
source="halo_logs" AND uri="/halo_host/archives/*" AND (param="<script>" OR param="javascript:")