We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54414

Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons



Description

Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.

Reserved 2025-07-21 | Published 2025-07-26 | Updated 2025-07-26 | Assigner GitHub_M


MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

< 1.21.3
affected

References

github.com/...anubis/security/advisories/GHSA-jhjj-2g64-px7c

github.com/TecharoHQ/anubis/pull/904

github.com/TecharoHQ/anubis/releases/tag/v1.21.3

cve.org (CVE-2025-54414)

nvd.nist.gov (CVE-2025-54414)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54414

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.