CVE-2025-54414— Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons

Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons

Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.

N/A

Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)

Anubis 安全漏洞

Anubis是Xe Iaso个人开发者的一个工具。 Anubis 1.21.2及之前版本存在安全漏洞，该漏洞源于恶意pass-challenge页面可能导致执行任意JavaScript代码。

N/A

N/A