CVE-2025-45286 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-45286?

CVE-2025-45286 has a CVSS score of 6.1 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 that allows attackers to inject and execute malicious web scripts or HTML through crafted payloads. This affects any system running the vulnerable version of httpbin, potentially compromising user sessions and data.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 that allows attackers to inject and execute malicious web scripts or HTML through crafted payloads. This affects any system running the vulnerable version of httpbin, potentially compromising user sessions and data.

💻 Affected Systems

Products:

mccutchen/go-httpbin

Versions: v2.17.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using the vulnerable version is affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the application interface.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions within the application context where the XSS payload executes.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, especially when unauthenticated access is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.17.2 or later

Vendor Advisory: https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2

Restart Required: Yes

Instructions:

1. Check current version with 'httpbin --version'. 2. Update to v2.17.2+ via package manager or manual installation. 3. Restart the httpbin service.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy: default-src 'self'' to HTTP responses

Input Validation Filter

all

Add middleware to sanitize user inputs before processing

Implement input sanitization for all user-supplied parameters

🧯 If You Can't Patch

Deploy a Web Application Firewall (WAF) with XSS protection rules
Isolate the vulnerable system behind reverse proxy with request filtering

🔍 How to Verify

Check if Vulnerable:

Check if running httpbin v2.17.1 using 'httpbin --version' or package manager query

Check Version:

httpbin --version

Verify Fix Applied:

Confirm version is v2.17.2 or later and test with XSS payloads that should be sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual long parameter values
Script tags or JavaScript in request parameters
Multiple requests with similar suspicious patterns

Network Indicators:

HTTP requests containing script tags, JavaScript code, or encoded payloads in parameters

SIEM Query:

source="httpbin" AND (param="<script>" OR param="javascript:" OR param="onerror=" OR param="onload=")

📊 Metadata

CVE ID: CVE-2025-45286

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-80

Published: January 2, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/advisories/GHSA-528q-4pgm-wvg2 Third Party Advisory,Patch
https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2 Vendor Advisory
https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45286, you might also want to check these: