Impact
Valhalla routing engine versions up to 3.6.3 include a reflected cross‑site scripting flaw caused by an unsanitized JSONP callback parameter. The callback value is echoed directly into an application/javascript response without validation, encoding, or whitelist filtering, allowing an attacker to inject arbitrary JavaScript. When a victim loads a crafted URL through a <script src="..."> tag, the injected code executes with the Valhalla server’s origin context, potentially enabling session cookie theft, credential disclosure, or the execution of actions on behalf of the user. This vulnerability is classified as CWE‑79.
Affected Systems
The affected product is Valhalla, an open‑source routing engine and library set designed for use with OpenStreetMap data. Vulnerable releases extend through version 3.6.3; any install of Valhalla 3.6.3 or older is susceptible. No additional vendor or version details are provided beyond the CNA listing of valhalla:valhalla.
Risk and Exploitability
The CVSS score of 6.1 suggests moderate severity, while the EPSS score of less than 1% indicates a low probability of active exploitation at the time of publication. Valhalla is not listed in the CISA KEV catalog. Exploitation requires an unprivileged attacker to lure a victim into loading a malicious JSONP URL. Based on the description, it is inferred that an attacker may convey the malicious URL through phishing emails or malicious web pages that embed a <script src="..."> tag pointing to the vulnerable endpoint. Once the victim’s browser executes the injected script under the Valhalla origin, arbitrary client‑side code runs with the victim’s privileges.
OpenCVE Enrichment