Description
SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.
Published: 2026-06-30
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SeaweedFS versions prior to 4.30 expose JSON endpoints that echo the callback parameter verbatim into JavaScript responses without validating the name or setting safe headers. This lack of callback validation, the absence of the X-Content-Type-Options: nosniff header, and no CORS restriction allow a malicious web page to load these endpoints via a script tag and read cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings. The vulnerability is an instance of an unsafe JSONP implementation (CWE‑79) and can lead to confidential internal information leakage.

Affected Systems

The vulnerability affects the SeaweedFS distributed file system, specifically all releases before 4.30. All JSON endpoints—such as /dir/status, /dir/lookup, /cluster/status, volume server /status, and filer directory listing—are exposed under the default configuration when no whitelist is set, no security.toml is used, and the service listens on 0.0.0.0.

Risk and Exploitability

The CVSS score is 2.3, indicating low severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. The attack is likely to be client‑side, where an attacker hosts a malicious web page that includes a script tag pointing to an exposed JSON endpoint, thereby reading the reflected data. Although the impact is limited to information disclosure and not to code execution or unauthorized data modification, the internal details exposed can aid further attacks against the SeaweedFS cluster.

Generated by OpenCVE AI on June 30, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SeaweedFS to version 4.30 or later, which removes unvalidated JSONP callbacks and adds appropriate security headers.
  • If upgrade is delayed, restrict network exposure by binding the service to a non‑public IP, disabling the default 0.0.0.0 binding, and enabling a security.toml configuration that limits access to trusted hosts.
  • Additionally, enable HTTPS and configure a CORS allow‑list, and add the X‑Content‑Type‑Options: nosniff header to all JSON responses to prevent MIME‑sniffing and cross‑origin reading.

Generated by OpenCVE AI on June 30, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON endpoint that uses writeJson - including the unauthenticated master endpoints /dir/status, /dir/lookup and /cluster/status, the volume server /status, and the filer directory listing, all reachable in the default configuration (no -whiteList, no security.toml, bound to 0.0.0.0) - can therefore be loaded cross-origin via a script tag with a chosen callback, letting a third-party web page read cluster topology, volume server URLs and gRPC ports, file identifiers, and directory listings. Because the callback string is reflected at the start of the body and no nosniff header is sent, MIME-sniffing clients may also interpret the reflected content as HTML.
Title SeaweedFS < 4.30 - Cross-Origin Information Disclosure via Unvalidated JSONP callback Parameter
First Time appeared Seaweedfs
Seaweedfs seaweedfs
Weaknesses CWE-79
CPEs cpe:2.3:a:seaweedfs:seaweedfs:*:*:*:*:*:*:*:*
Vendors & Products Seaweedfs
Seaweedfs seaweedfs
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Seaweedfs Seaweedfs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T15:57:36.585Z

Reserved: 2026-06-30T12:28:02.980Z

Link: CVE-2026-58371

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')