| Titolo | David Jakowenko Double Take <= v1.13.1 Cross Site Scripting |
|---|
| Descrizione | Summary:
Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in version <=1.13.1 of double-take. The software can be found at https://github.com/jakowenko/double-take and https://hub.docker.com/r/jakowenko/double-take. double-take is a facial recognition open-source application with 860,000+ pulls on dockerhub and 1.4k stars on github.
The maintainer (jakowenko) fixed the vulnerability in version 1.13.2 after I responsibly disclosed the issue to him.
Specifically, the vulnerability is located in the api/src/app.js file, which evaluates unsanitized HTTP GET headers passed via the 'X-Ingress-Path' header.
This allows an attacker to inject arbitrary JavaScript into the response, resulting in reflected XSS when the UI is accessed with a malicious header present.
Affected Versions:
double-take <=1.13.1, github commit: 8e2728d283b3901d688c2454086fd0b512739b53
Fixed Version:
double-take 1.13.2, github commit: 92521a0bc8ba70f64c4f794332d48387663ba20e
Projected CVSS v3.1 Score: 5.4 (Medium)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Proof of Concept and Steps to Reproduce:
1. Download "Double Take" <=1.13.1:
https://github.com/jakowenko/double-take/archive/refs/tags/v1.13.1.zip
cd double-take-1.13.1
2. Point docker-compose.yml to version 1.13.1:
### docker-compose.yml
version: '3.7'
volumes:
double-take:
services:
double-take:
container_name: double-take
image: jakowenko/double-take:1.13.1
restart: unless-stopped
volumes:
- double-take:/.storage
ports:
- 3000:3000
3. Start "Double Take" using docker compose
docker compose up -d
4. Set the following HTTP header in Chrome (via the ModHeader extension or similar):
X-Ingress-Path: ';window.onload = function() { alert(1); }//
3. Visit the Double-Take UI in a browser:
http://localhost:3000
You will see a JavaScript popup alert - confirming JavaScript execution.
3. Alternatively, executing via curl demonstrates that the windows.ingressUrl parameter populates with the payload:
curl -H "X-Ingress-Path: ');window.onload = function() { alert(1); }//" http://localhost:3000/
Impact:
This vulnerability is an example of Unauthenticated Reflected XSS. An attacker who compromises this flaw could execute arbitrary JavaScript in a victim's browser session, steal session cookies or authentication tokens, extract sensitive information, or impersonate users to deliver social engineering attacks. This particular exploit requires header injection (via X-Ingress-Path), but it still can be exploited in the wild via misconfigured/compromised reverse proxies, malicious browser extensions, or insecure internal tooling that injects headers. Exploiting this vulnerability via a proxy is particularly dangerous since double take is often used in home lab setups, where users setup reverse proxies to access their servers from outside of their own network. A compromised proxy could trivially exploit this vulnerability for arbitrary user requests being sent to the internal server that double-take runs on.
Remediation:
The core vulnerability stems from the html.replace() function (lines 27-34) in double-take/api/src/app.js:
html.replace(
'</head>',
`<script>
window.ingressUrl = '${req.headers['x-ingress-path'] || ''}';
window.publicPath = '${UI?.PATH || ''}';
</script>
</head>`
)
This function directly embeds unsanitized input from the X-Ingress-Path header of a GET request into a JavaScript <script> block.
In order to prevent this exploit, I recommended safely escaping values with a function like JSON.stringify():
const ingressUrlSafe = JSON.stringify(req.headers['x-ingress-path'] || '');
const publicPathSafe = JSON.stringify(UI?.PATH || '');
res.send(
html.replace(
'</head>',
`<script>
window.ingressUrl = ${ingressUrlSafe};
window.publicPath = ${publicPathSafe};
</script>
</head>`
)
);
The project maintainer implemented my fix in v1.13.2, as can be seen in the commit comment history on github (92521a0bc8ba70f64c4f794332d48387663ba20e).
|
|---|
| Fonte | ⚠️ https://github.com/jakowenko/double-take/commit/e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50 |
|---|
| Utente | omega3663 (UID 91097) |
|---|
| Sottomissione | 29/09/2025 14:04 (9 mesi fa) |
|---|
| Moderazione | 06/10/2025 08:44 (7 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 327247 [jakowenko double-take fino a 1.13.1 API api/src/app.js app.use X-Ingress-Path cross site scripting] |
|---|
| Punti | 20 |
|---|