GHSA-W7W5-5GCP-38RW

Vulnerability from github – Published: 2026-06-08 23:08 – Updated: 2026-06-08 23:08
VLAI
Summary
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
Details

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase.

Impact

The admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing X-Frame-Options: DENY / frame-ancestors 'none' is a real clickjacking lever against an admin browsing /ui/operators/* or /ui/cas/*. Missing X-Content-Type-Options: nosniff allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.

Affected

All released versions up to v0.3.0.

Suggested fix

A single response-header middleware mounted at the chi router root in both /ui/* and /api/* paths:

func securityHeadersMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        h := rw.Header()
        h.Set("Content-Security-Policy",
            "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'")
        h.Set("X-Content-Type-Options", "nosniff")
        h.Set("Referrer-Policy", "same-origin")
        h.Set("X-Frame-Options", "DENY")  // belt-and-braces; CSP frame-ancestors is the modern path
        if r.TLS != nil {
            h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
        }
        next.ServeHTTP(rw, r)
    })
}

The inline <script> in layout.html for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (crypto/rand, base64) injected into both the CSP header and the script's nonce="" attribute.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/juev/nebula-mesh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1021"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T23:08:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `Referrer-Policy` returns zero matches across the codebase.\n\n## Impact\nThe admin UI signs CA certificates, mints API keys (returned inline once per page), displays TOTP QR codes, and exposes operator-management forms. Missing `X-Frame-Options: DENY` / `frame-ancestors \u0027none\u0027` is a real clickjacking lever against an admin browsing `/ui/operators/*` or `/ui/cas/*`. Missing `X-Content-Type-Options: nosniff` allows MIME confusion on any user-supplied content surface. Missing HSTS on TLS deployments leaves a downgrade window.\n\n## Affected\nAll released versions up to v0.3.0.\n\n## Suggested fix\nA single response-header middleware mounted at the chi router root in both `/ui/*` and `/api/*` paths:\n\n```go\nfunc securityHeadersMiddleware(next http.Handler) http.Handler {\n    return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {\n        h := rw.Header()\n        h.Set(\"Content-Security-Policy\",\n            \"default-src \u0027self\u0027; frame-ancestors \u0027none\u0027; base-uri \u0027none\u0027; form-action \u0027self\u0027\")\n        h.Set(\"X-Content-Type-Options\", \"nosniff\")\n        h.Set(\"Referrer-Policy\", \"same-origin\")\n        h.Set(\"X-Frame-Options\", \"DENY\")  // belt-and-braces; CSP frame-ancestors is the modern path\n        if r.TLS != nil {\n            h.Set(\"Strict-Transport-Security\", \"max-age=31536000; includeSubDomains\")\n        }\n        next.ServeHTTP(rw, r)\n    })\n}\n```\n\nThe inline `\u003cscript\u003e` in `layout.html` for CSRF wiring (added in the CSRF advisory) will need either a nonce, a hash in CSP, or external-file extraction. Easiest path: a nonce per request (`crypto/rand`, base64) injected into both the CSP header and the script\u0027s `nonce=\"\"` attribute.",
  "id": "GHSA-w7w5-5gcp-38rw",
  "modified": "2026-06-08T23:08:54Z",
  "published": "2026-06-08T23:08:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-w7w5-5gcp-38rw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forgekeep/nebula-mesh/commit/b45fda5476c41ffcff1ca23058aef0fb851359c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juev/nebula-mesh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…