[Bug] XSS Vulnerability in /admin/users #834

New Issue

adam · 2025-12-29T02:24:38+01:00

adam commented

2025-12-29 02:24:38 +01:00

Originally created by @AmrealAbhishek on GitHub (Oct 16, 2024).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

There is a Cross-Site Scripting (XSS) vulnerability in the localhost.lugvitc.net/admin/users page. The application is not properly sanitizing user input, which allows attackers to inject arbitrary JavaScript into the page and execute it within the context of other users' browsers.

Expected Behavior

The input fields should properly sanitize all user input, especially special characters such as <, >, " and '. The application should escape any potentially malicious content to prevent script execution.

Steps To Reproduce

Navigate to the localhost.lugvitc.net/admin/users page.
In the input field (e.g., name or other parameters), input the following XSS payload:

Submit the form and observe that the alert XSS by amreal.in is triggered, indicating that the payload is executed.
This shows that the application is vulnerable to XSS and does not sanitize the input.

Environment

- OS: ubuntu
- Headscale version:  Headscale-Admin v0.1.12b
- Tailscale version:

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Anything else?

No response

Originally created by @AmrealAbhishek on GitHub (Oct 16, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior There is a Cross-Site Scripting (XSS) vulnerability in the localhost.lugvitc.net/admin/users page. The application is not properly sanitizing user input, which allows attackers to inject arbitrary JavaScript into the page and execute it within the context of other users' browsers. ### Expected Behavior The input fields should properly sanitize all user input, especially special characters such as <, >, " and '. The application should escape any potentially malicious content to prevent script execution. ### Steps To Reproduce ![Screenshot 2024-10-16 at 4 09 09 PM](https://github.com/user-attachments/assets/6182a742-c14b-41c6-b4db-a97d8a7246ab) ![Screenshot 2024-10-16 at 4 11 13 PM](https://github.com/user-attachments/assets/20de942d-2002-4eb6-b471-0bb05878cf91) ![Screenshot 2024-10-16 at 4 12 51 PM](https://github.com/user-attachments/assets/ab884dd9-9326-4c56-b95a-e62f7d324726) ![Screenshot 2024-10-16 at 4 12 56 PM](https://github.com/user-attachments/assets/843146f5-c8c3-4005-bde9-719f39f4f6cd) 1. Navigate to the localhost.lugvitc.net/admin/users page. 2. In the input field (e.g., name or other parameters), input the following XSS payload: - <input onfocus="alert(document.domain)" autofocus> - <img src="x" onerror="console.log('XSS for every user: ', document.cookie)"> Submit the form and observe that the alert XSS by amreal.in is triggered, indicating that the payload is executed. This shows that the application is vulnerable to XSS and does not sanitize the input. ![Screenshot 2024-10-16 at 4 02 48 PM](https://github.com/user-attachments/assets/daf4b559-10ec-438f-9ebb-78025635bd87) ![Screenshot 2024-10-16 at 4 07 38 PM](https://github.com/user-attachments/assets/f63dc2e3-ab55-4104-94f8-7754e2f7d6f5) ### Environment ```markdown - OS: ubuntu - Headscale version: Headscale-Admin v0.1.12b - Tailscale version: ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:24:38 +01:00

adam closed this issue

2025-12-29 02:24:38 +01:00

adam commented

2025-12-29 02:24:38 +01:00

@WizzyGeek commented on GitHub (Oct 16, 2024):

The vulnerability arises from
https://github.com/GoodiesHQ/headscale-admin/blob/main/src%2Flib%2Fcards%2FCardListPage.svelte#L7

Not headscale

Besides, this seems like a low severity issue since injection can only be done by the user for the user or by the server

@WizzyGeek commented on GitHub (Oct 16, 2024): The vulnerability arises from https://github.com/GoodiesHQ/headscale-admin/blob/main/src%2Flib%2Fcards%2FCardListPage.svelte#L7 Not headscale Besides, this seems like a low severity issue since injection can only be done by the user for the user or by the server

adam commented

2025-12-29 02:24:39 +01:00

@hopleus commented on GitHub (Oct 17, 2024):

@AmrealAbhishek So your frontend clearly shows an error that it was unable to add a user and in the console there is a clear error of fetch execution, so the request did not reach the Headscale server. I agree with @WizzyGeek, it is unlikely that the error is related to headscale.

@hopleus commented on GitHub (Oct 17, 2024): @AmrealAbhishek So your frontend clearly shows an error that it was unable to add a user and in the console there is a clear error of fetch execution, so the request did not reach the Headscale server. I agree with @WizzyGeek, it is unlikely that the error is related to headscale.

adam commented

2025-12-29 02:24:39 +01:00

@AmrealAbhishek commented on GitHub (Oct 17, 2024):

@hopleus this not the stored XSS, Its a reflected XSS!!

@AmrealAbhishek commented on GitHub (Oct 17, 2024): @hopleus this not the stored XSS, Its a reflected XSS!!

adam commented

2025-12-29 02:24:39 +01:00

@hopleus commented on GitHub (Oct 17, 2024):

@hopleus this not the stored XSS, Its a reflected XSS!!

I understand, that's why I wrote that the bug is not related to Headscale, as Headscale itself does not contain UI!

@hopleus commented on GitHub (Oct 17, 2024): > @hopleus this not the stored XSS, Its a reflected XSS!! I understand, that's why I wrote that the bug is not related to Headscale, as Headscale itself does not contain UI!

adam referenced this issue

2025-12-29 02:31:11 +01:00

[PR #834] [CLOSED] docs(README): update contributors #1678

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#834