Home

Description

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.

PUBLISHED Reserved 2026-06-30 | Published 2026-06-30 | Updated 2026-07-14 | Assigner VulnCheck




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

LOW: 2.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version before 4.30
affected

Credits

George Chen finder

References

github.com/seaweedfs/seaweedfs/releases/tag/4.30 (Release Notes) release-notes

github.com/seaweedfs/seaweedfs/pull/9686 (Fix PR) issue-tracking

github.com/...ommit/77dcb20a7485074d37340985d53103f94538abe6 (Patch Commit) patch

github.com/geo-chen/oss/blob/main/seaweedfs.md (Researcher Disclosure) technical-description exploit

www.vulncheck.com/...ia-unvalidated-jsonp-callback-parameter third-party-advisory

cve.org (CVE-2026-58371)

nvd.nist.gov (CVE-2026-58371)

Download JSON