postmanlabs httpbin core.py cross site scripting

A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Problem type

Affected products

postmanlabs

httpbin

0.6.0 - AFFECTED

0.6.1 - AFFECTED

References

VDB-338424 | postmanlabs httpbin core.py cross site scripting

https://vuldb.com/?id.338424

vdb-entry

VDB-338424 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338424

signaturepermissions-required

Submit #709002 | postmanlabs httpbin <=0.6.1 XSS

https://vuldb.com/?submit.709002

third-party-advisory

github.com

https://github.com/postmanlabs/httpbin/issues/735

exploitissue-tracking

GitHub Security Advisories

GHSA-6m8p-6c5x-r759

A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an...

https://github.com/advisories/GHSA-6m8p-6c5x-r759

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15095

github.com

https://github.com/postmanlabs/httpbin/issues/735

vuldb.com

https://vuldb.com/?ctiid.338424

vuldb.com

https://vuldb.com/?id.338424

vuldb.com

https://vuldb.com/?submit.709002

github.com

https://github.com/advisories/GHSA-6m8p-6c5x-r759

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15095

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15095",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-26T19:32:01.296Z",
    "dateReserved": "2025-12-25T12:56:12.998Z",
    "datePublished": "2025-12-26T02:02:07.191Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-26T02:02:07.191Z"
      },
      "title": "postmanlabs httpbin core.py cross site scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "affected": [
        {
          "vendor": "postmanlabs",
          "product": "httpbin",
          "versions": [
            {
              "version": "0.6.0",
              "status": "affected"
            },
            {
              "version": "0.6.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross Site Scripting",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Code Injection",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338424",
          "name": "VDB-338424 | postmanlabs httpbin core.py cross site scripting",
          "tags": [
            "vdb-entry"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338424",
          "name": "VDB-338424 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.709002",
          "name": "Submit #709002 | postmanlabs httpbin <=0.6.1 XSS",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/postmanlabs/httpbin/issues/735",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 4
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-25T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-25T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-25T14:01:16.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ZAST.AI (VulDB User)",
          "type": "reporter"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-26T19:32:01.296Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}