CVE-2022-0088 in yourls
Summary
by MITRE • 04/03/2022
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability identified as CVE-2022-0088 represents a critical cross-site request forgery flaw discovered in the Yourls URL shortening application prior to version 1.8.3. This vulnerability exists within the web application's authentication and authorization mechanisms, specifically affecting how the system handles user requests and validates session integrity. The issue stems from the application's failure to properly implement anti-CSRF protections, creating a scenario where malicious actors can exploit user sessions to perform unauthorized actions without their knowledge or consent. The vulnerability impacts the core functionality of the URL shortening service and potentially exposes sensitive user data and administrative controls.
The technical flaw manifests in the application's lack of proper CSRF token validation during critical operations such as adding new URLs, modifying existing entries, or accessing administrative functions. When users authenticate to the Yourls system, their session remains active, but the application does not adequately verify that requests originate from legitimate sources within the authenticated session. This weakness allows attackers to craft malicious web pages or emails that, when visited by authenticated users, automatically submit requests to the vulnerable Yourls instance. The flaw directly maps to CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities in web applications. The vulnerability is particularly concerning because it can be exploited through various attack vectors including phishing campaigns, social engineering, or by leveraging existing user sessions on compromised devices.
The operational impact of this vulnerability extends beyond simple data manipulation to potentially compromise the entire URL shortening infrastructure. An attacker could leverage this flaw to inject malicious URLs into the system, redirect users to harmful websites, or gain unauthorized access to administrative functions. The vulnerability affects all users who have authenticated sessions with the application, making it particularly dangerous in environments where multiple users share the same system or where users browse untrusted websites. The exploitation of this vulnerability aligns with ATT&CK technique T1566, which covers phishing and social engineering attacks that leverage web-based vulnerabilities to gain unauthorized access to systems. Organizations using vulnerable versions of Yourls are at risk of having their URL shortening services compromised, potentially leading to reputation damage, data breaches, and unauthorized content distribution.
Mitigation strategies for CVE-2022-0088 focus primarily on upgrading to the patched version 1.8.3 or later, which implements proper CSRF token validation mechanisms. Organizations should also implement additional security measures including thorough input validation, session management improvements, and regular security audits of web applications. Network administrators should consider implementing web application firewalls that can detect and block suspicious CSRF attack patterns, while security teams should monitor for unauthorized access attempts and unusual user behavior that might indicate exploitation attempts. The vulnerability highlights the importance of maintaining up-to-date software versions and implementing proper security controls such as Content Security Policy headers and proper session management practices to prevent similar issues in the future.