AIKIDO-2025-10973
google-cloud-aiplatform is vulnerable to Cross-Site Scripting (XSS)
51
Medium Risk
This Affects:
google-cloud-aiplatformTL;DR
Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) in the GenAI Client evaluation visualization component due to unsanitized embedding of user-controlled JSON data into HTML. The old code directly injected eval_result_json into a JavaScript variable without encoding, allowing attackers to craft malicious JSON containing script payloads. An attacker could exploit this by submitting manipulated evaluation data that, when viewed in the report, executes arbitrary code in the victim's browser, potentially leading to session hijacking, data theft, or further attacks. The patch mitigates this by base64-encoding the JSON and decoding it safely in JavaScript, thereby preventing direct script injection.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
google-cloud-aiplatform is vulnerable to Cross-Site Scripting (XSS) in versions 1.98.0 - 1.130.0.
How to fix this
Upgrade the google-cloud-aiplatform library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant