AIKIDO-2025-10443
cadwyn is vulnerable to Cross-site Scripting (XSS)
60
Medium Risk
This Affects:
cadwynTL;DR
Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of the version parameter in both redoc_dashboard and swagger_dashboard functions. These functions dynamically construct an openapi_url by embedding the user-supplied version value into the response without proper escaping, allowing an attacker to inject malicious JavaScript code. If an attacker crafts a malicious version parameter containing script payloads (e.g.,?version='><script>alert(1)</script>), the payload could execute in the victim's browser when the documentation is rendered.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
cadwyn is vulnerable to Cross-site Scripting (XSS) in versions 3.15.0 - 5.4.2.
How to fix this
Upgrade the cadwyn library to a patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant