CVE-2025-54414

Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/TecharoHQ/anubis/pull/904
https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3
https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c

Configurations

No configuration.

History

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Anubis es una utilidad de firewall web con inteligencia artificial que evalúa el estado de las conexiones de los usuarios mediante uno o más desafíos para proteger los recursos de origen de bots rastreadores. En las versiones 1.21.2 y anteriores, los atacantes pueden manipular páginas maliciosas de desafío de paso que provocan que el usuario ejecute código JavaScript arbitrario o activen otros esquemas no estándar. Una versión incompleta de esta corrección se registró en la versión 1.21.2 y posteriormente se canceló el proceso de lanzamiento tras las pruebas finales. Para solucionar este problema: bloquee cualquier solicitud a la ruta /.within.website/x/cmd/anubis/api/pass-challenge con el parámetro ?redir= establecido en cualquier URL que no comience con el esquema http, https o ningún esquema (redireccionamiento a la ruta local). Esto se solucionó en la versión 1.21.3.

26 Jul 2025, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-26 04:16

Updated : 2025-07-29 14:14

NVD link : CVE-2025-54414

Mitre link : CVE-2025-54414

CVE.ORG link : CVE-2025-54414

JSON object : View

Products Affected

No product.

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-54414", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-26T04:16:06.987", "references": [{"url": "https://github.com/TecharoHQ/anubis/pull/904", "source": "security-advisories@github.com"}, {"url": "https://github.com/TecharoHQ/anubis/releases/tag/v1.21.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3."}, {"lang": "es", "value": "Anubis es una utilidad de firewall web con inteligencia artificial que eval\u00faa el estado de las conexiones de los usuarios mediante uno o m\u00e1s desaf\u00edos para proteger los recursos de origen de bots rastreadores. En las versiones 1.21.2 y anteriores, los atacantes pueden manipular p\u00e1ginas maliciosas de desaf\u00edo de paso que provocan que el usuario ejecute c\u00f3digo JavaScript arbitrario o activen otros esquemas no est\u00e1ndar. Una versi\u00f3n incompleta de esta correcci\u00f3n se registr\u00f3 en la versi\u00f3n 1.21.2 y posteriormente se cancel\u00f3 el proceso de lanzamiento tras las pruebas finales. Para solucionar este problema: bloquee cualquier solicitud a la ruta /.within.website/x/cmd/anubis/api/pass-challenge con el par\u00e1metro ?redir= establecido en cualquier URL que no comience con el esquema http, https o ning\u00fan esquema (redireccionamiento a la ruta local). Esto se solucion\u00f3 en la versi\u00f3n 1.21.3."}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "security-advisories@github.com"}