| Título | Mage AI 0.9.79 DOM-Based XSS, Open Redirect |
|---|
| Descrição | A DOM-Based Cross-Site Scripting (XSS) vulnerability has been discovered in the Mage AI application's sign-in functionality. The application improperly trusts a URL parameter (redirect_url) during the sign-in flow. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the context of their browser. When the link is opened by authenticated users (those who have already logged in), the XSS payload triggers automatically. For unauthenticated users, it triggers upon successful login or registration. This could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim.
---
CVSS v3.1 Score Justification
Base Score: 8.2 (High)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector (AV): Network (N) – The vulnerability is exploitable remotely over the network via a crafted URL.
Attack Complexity (AC): Low (L) – The attack does not require complex conditions; the vulnerable code path is easily reached. The attacker only needs to know the correct parameter name.
Privileges Required (PR): None (N) – No authentication or privileges are required to trigger the vulnerability. The link can be sent to any user.
User Interaction (UI): Required (R) – The victim must click on the attacker's malicious link.
Scope (S): Changed (C) – The vulnerable component is the client-side code, but the impact (executing arbitrary script) affects the user's browser session and the data accessible within the application's security context.
Confidentiality (C): High (H) – Successful exploitation could lead to complete loss of confidentiality. An attacker can call authenticated API endpoints, access sensitive data, and other information stored in the browser's context.
Integrity (I): Low (L) – An attacker could potentially modify some data or perform actions on behalf of the user.
Availability (A): None (N) – The attack does not directly impact the availability of the application or its data.
---
Note to moderator: The vendor was notified on March 7, 2026 with a 45-day disclosure deadline of Apr. 22, 2026. This was later extended to May 6, 2026 after further attempted contact. The maintainer did not respond after further follow-up. The issue is not fixed. After waiting past the disclosure deadline and with the absence of a fix on the GitHub project, I have decided to proceed with public disclosure. It is reasonable that Mage AI users are unaware of the vulnerability.
CVD: https://gist.github.com/TrebledJ/8af312cf797391ef7b50b94bb244333a
Vendor: https://github.com/mage-ai/
Product: https://github.com/mage-ai/mage-ai/
Similar VDB Entries: VDB-358037, VDB-356245 |
|---|
| Fonte | ⚠️ https://gist.github.com/TrebledJ/8af312cf797391ef7b50b94bb244333a |
|---|
| Utilizador | trebledj (UID 94356) |
|---|
| Submissão | 08/05/2026 04h25 (há 1 mês) |
|---|
| Moderação | 06/06/2026 00h11 (29 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 369016 [Mage AI até 0.9.79 Sign-in Flow index.tsx useMutation query.redirect_url Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|