CVE-2025-64716

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64716

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64716.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64716

Aliases

Published

2025-11-13T01:46:19.982Z

Modified

2025-12-05T10:21:41.624287Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator

Summary

Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Details

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a fix for the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64716.json",
    "cwe_ids": [
        "CWE-601",
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/techarohq/anubis

Affected ranges

Type: GIT
Repo: https://github.com/techarohq/anubis
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

62c1b80189a6aecc90afc47ee857cd44ed09953c

Affected versions

1.*

1.17.0-beta2

v1.*

v1.12.1

v1.13.0

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.17.0

v1.17.0-beta1

v1.17.0-beta3

v1.17.0-beta4

v1.17.0.signed

v1.17.1

v1.18.0

v1.18.0-pre1

v1.19.0

v1.19.0-pre1

v1.19.1

v1.20.0

v1.20.0-pre1

v1.20.0-pre2

v1.21.0

v1.21.0-pre1

v1.21.0-pre2

v1.21.0-pre3

v1.21.1

v1.21.2

v1.21.3

v1.22.0

v1.22.0-pre1

v1.22.0-pre2

v1.23.0-pre1

v1.23.0-pre2