CVE-2022-4957 in speedtest
Summary
by MITRE • 12/03/2023
A vulnerability was found in librespeed speedtest up to 5.2.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file results/stats.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. Upgrading to version 5.2.5 is able to address this issue. The patch is named a85f2c086f3449dffa8fe2edb5e2ef3ee72dc0e9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-246643.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2025
The vulnerability identified as CVE-2022-4957 represents a cross-site scripting flaw in the librespeed speedtest application version 5.2.4 and earlier. This issue resides within the results/stats.php file where the application fails to properly sanitize user input parameters. The vulnerability specifically manifests when the id argument is manipulated, allowing attackers to inject malicious scripts into the application's response. The flaw enables attackers to execute arbitrary code in the context of a victim's browser, potentially leading to session hijacking, data theft, or unauthorized actions within the application's interface.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding practices within the application's PHP codebase. When the application processes the id parameter from the results/stats.php endpoint, it fails to properly escape or filter user-supplied data before rendering it in the HTML response. This creates an opportunity for attackers to inject malicious JavaScript code through the id parameter, which then executes in the browser of any user who views the affected page. The vulnerability's remote exploitability means that attackers can trigger the XSS condition without requiring physical access to the target system or local network presence.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable more sophisticated attacks within the context of the application. An attacker could potentially steal user sessions, modify application behavior, or redirect users to malicious websites. The vulnerability affects the core functionality of the speedtest application's statistics display system, compromising the integrity of the data presentation layer. Given that speedtest applications often collect sensitive performance metrics and user information, this XSS vulnerability could expose confidential data or provide attackers with a foothold for further exploitation. The vulnerability's classification aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications.
Security mitigations for this vulnerability center on upgrading to version 5.2.5 or later, which includes the patch identified as a85f2c086f3449dffa8fe2edb5e2ef3ee72dc0e9. This patch implements proper input sanitization and output encoding for the id parameter, ensuring that any potentially malicious content is neutralized before being rendered in the application's response. Organizations should also implement additional defensive measures such as content security policies, input validation at multiple layers, and regular security assessments of web applications. The vulnerability's remediation follows standard web application security practices outlined in the OWASP Top Ten and MITRE ATT&CK framework's web application attack patterns. System administrators should conduct immediate patching of affected instances and monitor for any signs of exploitation attempts, as the vulnerability's presence in the statistics display functionality makes it particularly attractive to attackers seeking to compromise user sessions or access collected performance data.