GHSA-3W28-36P9-W929

Vulnerability from github – Published: 2026-06-23 17:33 – Updated: 2026-06-23 17:33
VLAI
Summary
Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS
Details

Summary

The Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability.

Severity

High

Affected Versions

All versions using the vulnerable endpoint

Vulnerability Details

  • CVE ID: (To be assigned)
  • Entry Point: POST /-/api/sanitize_ipynb
  • Attack Vector: Network
  • Authentication Required: No (only needs a registered user account)

Impact

An attacker with a registered user account can:

  • Send malicious HTML containing data:text/html URIs to the sanitization endpoint
  • Receive sanitized but attacker-controlled HTML in the response
  • Execute arbitrary JavaScript in the attacker's browser context through XSS
  • Potentially exploit other users if the sanitized output is rendered in their context

The vulnerability has higher severity because:

  1. No authentication required (only needs a registered user account)
  2. Unlike the safer pattern in internal/markup/sanitizer.go:39 which uses isSafeDataURI to only allow safe image MIME types, this endpoint allows ALL data URIs including HTML
  3. The returned HTML can be used to craft XSS attacks

Proof of Concept

Attacker sends a POST request to the sanitization endpoint:

POST /-/api/sanitize_ipynb HTTP/1.1
Host: target.gogs.instance
Content-Type: text/plain

<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>

The server returns the sanitized HTML with the data URI preserved:

<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>

When this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS.

Affected Component

File: internal/app/api.go:10-16

func ipynbSanitizer() *bluemonday.Policy {
    p := bluemonday.UGCPolicy()
    p.AllowAttrs("class", "data-prompt-number").OnElements("div")
    p.AllowAttrs("class").OnElements("img")
    p.AllowURLSchemes("data")  // <-- VULNERABLE: allows all data URIs
    return p
}

File: cmd/gogs/web.go:681-683 - No authentication middleware

m.Group("/-", func() {
    m.Get("/metrics", app.MetricsFilter(), promhttp.Handler())
    m.Group("/api", func() {
        m.Post("/sanitize_ipynb", app.SanitizeIpynb())  // <-- No auth middleware
    })
})

Root Cause

  1. Unrestricted data URI scheme: The code at internal/app/api.go:14 uses p.AllowURLSchemes("data") without any restriction, unlike the safer implementation in internal/markup/sanitizer.go:39 which uses AllowURLSchemeWithCustomPolicy("data", isSafeDataURI) to only allow safe image MIME types.

  2. No authentication: The endpoint at cmd/gogs/web.go:682 does not have any authentication middleware applied, making it accessible to any registered user.

  3. Insufficient validation: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing data:text/html payloads to pass through.

Suggested Fix

Option 1: Use the same safe pattern as internal/markup/sanitizer.go

Replace p.AllowURLSchemes("data") with:

p.AllowURLSchemeWithCustomPolicy("data", isSafeDataURI)

Where isSafeDataURI is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.).

Option 2: Add authentication middleware

Apply appropriate authentication to the endpoint:

m.Post("/sanitize_ipynb", middleware.signIn, app.SanitizeIpynb())

Option 3: Disable data URI scheme entirely

If data URIs are not required for ipynb sanitization:

// Remove this line entirely:
// p.AllowURLSchemes("data")
Severity
5.4 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:33:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes(\"data\")` which permits all data URI schemes including `data:text/html`, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability.\n\n## Severity\n\n**High**\n\n## Affected Versions\n\nAll versions using the vulnerable endpoint\n\n## Vulnerability Details\n\n- **CVE ID**: (To be assigned)\n- **Entry Point**: `POST /-/api/sanitize_ipynb`\n- **Attack Vector**: Network\n- **Authentication Required**: No (only needs a registered user account)\n\n## Impact\n\nAn attacker with a registered user account can:\n\n- Send malicious HTML containing `data:text/html` URIs to the sanitization endpoint\n- Receive sanitized but attacker-controlled HTML in the response\n- Execute arbitrary JavaScript in the attacker\u0027s browser context through XSS\n- Potentially exploit other users if the sanitized output is rendered in their context\n\nThe vulnerability has higher severity because:\n\n1. No authentication required (only needs a registered user account)\n2. Unlike the safer pattern in `internal/markup/sanitizer.go:39` which uses `isSafeDataURI` to only allow safe image MIME types, this endpoint allows ALL data URIs including HTML\n3. The returned HTML can be used to craft XSS attacks\n\n## Proof of Concept\n\nAttacker sends a POST request to the sanitization endpoint:\n\n```http\nPOST /-/api/sanitize_ipynb HTTP/1.1\nHost: target.gogs.instance\nContent-Type: text/plain\n\n\u003ca href=\"data:text/html,\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003eclick\u003c/a\u003e\n```\n\nThe server returns the sanitized HTML with the data URI preserved:\n\n```html\n\u003ca href=\"data:text/html,\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003eclick\u003c/a\u003e\n```\n\nWhen this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS.\n\n## Affected Component\n\n**File**: `internal/app/api.go:10-16`\n\n```go\nfunc ipynbSanitizer() *bluemonday.Policy {\n\tp := bluemonday.UGCPolicy()\n\tp.AllowAttrs(\"class\", \"data-prompt-number\").OnElements(\"div\")\n\tp.AllowAttrs(\"class\").OnElements(\"img\")\n\tp.AllowURLSchemes(\"data\")  // \u003c-- VULNERABLE: allows all data URIs\n\treturn p\n}\n```\n\n**File**: `cmd/gogs/web.go:681-683` - No authentication middleware\n\n```go\nm.Group(\"/-\", func() {\n\tm.Get(\"/metrics\", app.MetricsFilter(), promhttp.Handler())\n\tm.Group(\"/api\", func() {\n\t\tm.Post(\"/sanitize_ipynb\", app.SanitizeIpynb())  // \u003c-- No auth middleware\n\t})\n})\n```\n\n## Root Cause\n\n1. **Unrestricted data URI scheme**: The code at `internal/app/api.go:14` uses `p.AllowURLSchemes(\"data\")` without any restriction, unlike the safer implementation in `internal/markup/sanitizer.go:39` which uses `AllowURLSchemeWithCustomPolicy(\"data\", isSafeDataURI)` to only allow safe image MIME types.\n\n2. **No authentication**: The endpoint at `cmd/gogs/web.go:682` does not have any authentication middleware applied, making it accessible to any registered user.\n\n3. **Insufficient validation**: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing `data:text/html` payloads to pass through.\n\n## Suggested Fix\n\n**Option 1**: Use the same safe pattern as `internal/markup/sanitizer.go`\n\nReplace `p.AllowURLSchemes(\"data\")` with:\n\n```go\np.AllowURLSchemeWithCustomPolicy(\"data\", isSafeDataURI)\n```\n\nWhere `isSafeDataURI` is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.).\n\n**Option 2**: Add authentication middleware\n\nApply appropriate authentication to the endpoint:\n\n```go\nm.Post(\"/sanitize_ipynb\", middleware.signIn, app.SanitizeIpynb())\n```\n\n**Option 3**: Disable data URI scheme entirely\n\nIf data URIs are not required for ipynb sanitization:\n\n```go\n// Remove this line entirely:\n// p.AllowURLSchemes(\"data\")\n```",
  "id": "GHSA-3w28-36p9-w929",
  "modified": "2026-06-23T17:33:32Z",
  "published": "2026-06-23T17:33:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8326"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs\u0027s Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.