CVE-2016-6348 in RESTEasy
Summary
by MITRE
JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site scrip inclusion (XSSI) attack.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2025
The JacksonJsonpInterceptor in RESTEasy represents a critical security vulnerability that exposes applications to cross-site script inclusion attacks, as documented in CVE-2016-6348. This vulnerability specifically affects the handling of JSONP (JSON with Padding) requests within the RESTEasy framework, which is widely used for building RESTful web services in Java applications. The flaw resides in how the framework processes JSONP responses, creating an avenue for malicious actors to inject unauthorized scripts into web applications that utilize this interceptor.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the JacksonJsonpInterceptor component. When RESTEasy processes a JSONP request, it typically wraps the JSON response in a callback function to enable cross-domain data retrieval. However, the interceptor fails to properly sanitize the callback parameter, allowing attackers to inject malicious JavaScript code that executes within the context of the victim's browser. This occurs because the framework does not sufficiently validate or escape the callback name parameter before incorporating it into the response payload, creating a direct path for cross-site scripting exploitation.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform a range of malicious activities including session hijacking, data theft, and privilege escalation. An attacker could exploit this vulnerability to steal user session cookies, access sensitive application data, or manipulate the application's behavior by injecting malicious code that executes in the user's browser context. The attack vector is particularly concerning because it leverages legitimate JSONP functionality that many applications depend on for cross-domain communication, making it difficult to detect and prevent without proper security controls.
This vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and maps to ATT&CK technique T1203, which covers exploitation of web application vulnerabilities. The attack surface is broad as RESTEasy is commonly integrated into enterprise applications, web services, and microservices architectures where JSONP functionality is utilized for client-side data retrieval. Organizations using RESTEasy frameworks with JacksonJsonpInterceptor are at risk of unauthorized code execution and data compromise, particularly in environments where user input is processed without proper sanitization.
Mitigation strategies for this vulnerability include immediate patching of the RESTEasy framework to versions that address the JSONP interceptor flaw, implementing proper input validation and output encoding for all callback parameters, and configuring proper Content Security Policy headers to limit script execution. Organizations should also consider disabling JSONP functionality when it is not strictly required, implementing strict validation of callback names, and conducting regular security assessments of their RESTful web services. Additionally, developers should follow secure coding practices that prevent user-controllable input from being directly incorporated into response payloads without proper sanitization and validation.