Hello everyone,
This is a security update for Oaskit. Version 0.14.1 is now on Hex and fixes a reflected cross-site scripting (XSS) vulnerability in the default error handler.
If you are using Oaskit you should upgrade now.
Following the recent effort of scanning libraries with Claude Code and Fable I found a vulnerability in one of my libraries. I will do the same for JSV later.
What was affected
Oaskit’s default error handler (Oaskit.ErrorHandler.Default) can render validation errors as an HTML page when a request’s Accept header contains html. This is enabled by default (html_errors: true) and is genuinely handy in development for reading errors straight from the browser.
The problem: request-controlled values (such as object keys from a request body or query parameter, or a malformed Content-Type) were written into that HTML page without escaping. A crafted link to a validating endpoint could execute JavaScript in the application’s origin, a plain GET navigation is enough, no form or special headers required. Dumb me yeah.
Severity is Medium (CVSS 6.1). The full write-up is in the advisory:
The HTML error page stays on by default, because it’s useful in dev and all interpolated values are now HTML-escaped.
Who should upgrade
All versions before 0.14.1 are affected. If you use Oaskit, please bump:
{:oaskit, "~> 0.14.1"}
Workaround (if you can’t upgrade right away)
Disable HTML error rendering so only JSON errors are returned:
plug Oaskit.Plugs.ValidateRequest, html_errors: false
Apologies for the churn this upgrade causes, and for shipping the issue in the first place.
Thank you for using Oaskit! If you find anything suspicious, please report privately via the repository’s Security tab.
(@AstonJ does that still merge into the main library thread?)























