CVE-2025-54414 (GCVE-0-2025-54414)
Vulnerability from cvelistv5 – Published: 2025-07-26 03:30 – Updated: 2025-07-28 14:12
VLAI?
Summary
Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T14:11:31.281544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T14:12:08.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anubis",
"vendor": "TecharoHQ",
"versions": [
{
"status": "affected",
"version": "\u003c 1.21.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anubis is a Web AI Firewall Utility that weighs the soul of users\u0027 connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn\u0027t start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:32:47.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c"
},
{
"name": "https://github.com/TecharoHQ/anubis/pull/904",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TecharoHQ/anubis/pull/904"
},
{
"name": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3"
}
],
"source": {
"advisory": "GHSA-jhjj-2g64-px7c",
"discovery": "UNKNOWN"
},
"title": "Anubis accepts crafted redirect URLs in pass-challenge \u0027Try Again\u0027 buttons"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54414",
"datePublished": "2025-07-26T03:30:28.951Z",
"dateReserved": "2025-07-21T23:18:10.280Z",
"dateUpdated": "2025-07-28T14:12:08.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54414\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-26T04:16:06.987\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Anubis is a Web AI Firewall Utility that weighs the soul of users\u0027 connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn\u0027t start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.\"},{\"lang\":\"es\",\"value\":\"Anubis es una utilidad de firewall web con inteligencia artificial que eval\u00faa el estado de las conexiones de los usuarios mediante uno o m\u00e1s desaf\u00edos para proteger los recursos de origen de bots rastreadores. En las versiones 1.21.2 y anteriores, los atacantes pueden manipular p\u00e1ginas maliciosas de desaf\u00edo de paso que provocan que el usuario ejecute c\u00f3digo JavaScript arbitrario o activen otros esquemas no est\u00e1ndar. Una versi\u00f3n incompleta de esta correcci\u00f3n se registr\u00f3 en la versi\u00f3n 1.21.2 y posteriormente se cancel\u00f3 el proceso de lanzamiento tras las pruebas finales. Para solucionar este problema: bloquee cualquier solicitud a la ruta /.within.website/x/cmd/anubis/api/pass-challenge con el par\u00e1metro ?redir= establecido en cualquier URL que no comience con el esquema http, https o ning\u00fan esquema (redireccionamiento a la ruta local). Esto se solucion\u00f3 en la versi\u00f3n 1.21.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/TecharoHQ/anubis/pull/904\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54414\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T14:11:31.281544Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T14:12:00.853Z\"}}], \"cna\": {\"title\": \"Anubis accepts crafted redirect URLs in pass-challenge \u0027Try Again\u0027 buttons\", \"source\": {\"advisory\": \"GHSA-jhjj-2g64-px7c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"TecharoHQ\", \"product\": \"anubis\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.21.3\"}]}], \"references\": [{\"url\": \"https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c\", \"name\": \"https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/TecharoHQ/anubis/pull/904\", \"name\": \"https://github.com/TecharoHQ/anubis/pull/904\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3\", \"name\": \"https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Anubis is a Web AI Firewall Utility that weighs the soul of users\u0027 connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn\u0027t start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:32:47.245Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54414\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T14:12:08.914Z\", \"dateReserved\": \"2025-07-21T23:18:10.280Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:30:28.951Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…