{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54414", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-21T23:18:10.280Z", "datePublished": "2025-07-26T03:30:28.951Z", "dateUpdated": "2025-07-28T14:12:08.914Z"}, "containers": {"cna": {"title": "Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c"}, {"name": "https://github.com/TecharoHQ/anubis/pull/904", "tags": ["x_refsource_MISC"], "url": "https://github.com/TecharoHQ/anubis/pull/904"}, {"name": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3"}], "affected": [{"vendor": "TecharoHQ", "product": "anubis", "versions": [{"version": "< 1.21.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:32:47.245Z"}, "descriptions": [{"lang": "en", "value": "Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3."}], "source": {"advisory": "GHSA-jhjj-2g64-px7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T14:11:31.281544Z", "id": "CVE-2025-54414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:12:08.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T14:11:31.281544Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:12:00.853Z"}}], "cna": {"title": "Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons", "source": {"advisory": "GHSA-jhjj-2g64-px7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "TecharoHQ", "product": "anubis", "versions": [{"status": "affected", "version": "< 1.21.3"}]}], "references": [{"url": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c", "name": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TecharoHQ/anubis/pull/904", "name": "https://github.com/TecharoHQ/anubis/pull/904", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3", "name": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:32:47.245Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54414", "state": "PUBLISHED", "dateUpdated": "2025-07-28T14:12:08.914Z", "dateReserved": "2025-07-21T23:18:10.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-26T03:30:28.951Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3."}, {"lang": "es", "value": "Anubis es una utilidad de firewall web con inteligencia artificial que eval\u00faa el estado de las conexiones de los usuarios mediante uno o m\u00e1s desaf\u00edos para proteger los recursos de origen de bots rastreadores. En las versiones 1.21.2 y anteriores, los atacantes pueden manipular p\u00e1ginas maliciosas de desaf\u00edo de paso que provocan que el usuario ejecute c\u00f3digo JavaScript arbitrario o activen otros esquemas no est\u00e1ndar. Una versi\u00f3n incompleta de esta correcci\u00f3n se registr\u00f3 en la versi\u00f3n 1.21.2 y posteriormente se cancel\u00f3 el proceso de lanzamiento tras las pruebas finales. Para solucionar este problema: bloquee cualquier solicitud a la ruta /.within.website/x/cmd/anubis/api/pass-challenge con el par\u00e1metro ?redir= establecido en cualquier URL que no comience con el esquema http, https o ning\u00fan esquema (redireccionamiento a la ruta local). Esto se solucion\u00f3 en la versi\u00f3n 1.21.3."}], "id": "CVE-2025-54414", "lastModified": "2025-07-29T14:14:55.157", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-26T04:16:06.987", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/TecharoHQ/anubis/pull/904"}, {"source": "security-advisories@github.com", "url": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}