Impact
SeaweedFS versions prior to 4.30 expose JSON endpoints that echo the callback parameter verbatim into JavaScript responses without validating the name or setting safe headers. This lack of callback validation, the absence of the X-Content-Type-Options: nosniff header, and no CORS restriction allow a malicious web page to load these endpoints via a script tag and read cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings. The vulnerability is an instance of an unsafe JSONP implementation (CWE‑79) and can lead to confidential internal information leakage.
Affected Systems
The vulnerability affects the SeaweedFS distributed file system, specifically all releases before 4.30. All JSON endpoints—such as /dir/status, /dir/lookup, /cluster/status, volume server /status, and filer directory listing—are exposed under the default configuration when no whitelist is set, no security.toml is used, and the service listens on 0.0.0.0.
Risk and Exploitability
The CVSS score is 2.3, indicating low severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. The attack is likely to be client‑side, where an attacker hosts a malicious web page that includes a script tag pointing to an exposed JSON endpoint, thereby reading the reflected data. Although the impact is limited to information disclosure and not to code execution or unauthorized data modification, the internal details exposed can aid further attacks against the SeaweedFS cluster.
OpenCVE Enrichment