Oaskit 0.14.1 - security release

Hello everyone,

This is a security update for Oaskit. Version 0.14.1 is now on Hex and fixes a reflected cross-site scripting (XSS) vulnerability in the default error handler.

If you are using Oaskit you should upgrade now.

Following the recent effort of scanning libraries with Claude Code and Fable I found a vulnerability in one of my libraries. I will do the same for JSV later.

What was affected

Oaskit’s default error handler (Oaskit.ErrorHandler.Default) can render validation errors as an HTML page when a request’s Accept header contains html. This is enabled by default (html_errors: true) and is genuinely handy in development for reading errors straight from the browser.

The problem: request-controlled values (such as object keys from a request body or query parameter, or a malformed Content-Type) were written into that HTML page without escaping. A crafted link to a validating endpoint could execute JavaScript in the application’s origin, a plain GET navigation is enough, no form or special headers required. Dumb me yeah.

Severity is Medium (CVSS 6.1). The full write-up is in the advisory:

:right_arrow: GHSA-h7xw-x8wr-xpcc

The HTML error page stays on by default, because it’s useful in dev and all interpolated values are now HTML-escaped.

Who should upgrade

All versions before 0.14.1 are affected. If you use Oaskit, please bump:

{:oaskit, "~> 0.14.1"}

Workaround (if you can’t upgrade right away)

Disable HTML error rendering so only JSON errors are returned:

plug Oaskit.Plugs.ValidateRequest, html_errors: false

Apologies for the churn this upgrade causes, and for shipping the issue in the first place.

Thank you for using Oaskit! If you find anything suspicious, please report privately via the repository’s Security tab.

(@AstonJ does that still merge into the main library thread?)

3 Likes

Now that any library/project can get one of our new forums we no longer need to merge the threads :icon_biggrin: however if you’d like a reference to updates like this in the main thread then simply link to the main thread like you have - it will then show in the footer of the post:

Btw if you want an easier way to set up one of our new forums (for Oaskit or any other library) you can just give provide the data as Rails create block, we can add it to our seed file and then set you up with the admin thread. Just PM me if you want to do it that way :023: