GHSA-5pm7-cp8f-p2c2
MEDIUMwallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
Blast Radius
wallabag/wallabagReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing unintended actions within their wallabag account without their consent. Additionally, one endpoint affects the login page locale setting.
The affected endpoints allow attackers to potentially perform actions such as:
- Manage API Tokens:
/generate-token/revoke-token
- Manage User Rules:
/tagging-rule/delete/{taggingRule}/ignore-origin-user-rule/delete/{ignoreOriginUserRule}
- Modify User Configuration:
/config/view-mode
- Manage Individual Entries:
/reload/{id}/archive/{id}/star/{id}/delete/{id}/share/{id}/share/delete/{id}
- Manage Tags:
/remove-tag/{entry}/{tag}/tag/search/{filter}/tag/delete/{slug}
- Perform Bulk Actions:
/mass
- Change Interface Language (Login Page):
/locale/{language}
Successfully exploiting these vulnerabilities could lead to unauthorized modification or deletion of user data, configuration changes, token manipulation, or interface changes, depending on the specific endpoint targeted.
This set of vulnerabilities has an aggregated CVSS v3.1 score of 4.3 (Medium).
Users are strongly advised to upgrade their wallabag instance to version 2.6.11 or later to mitigate these vulnerabilities.
Resolution
These vulnerabilities have been addressed in wallabag version 2.6.11. The affected endpoints have been modified to require the HTTP POST method along with a valid CSRF token for state-changing actions, preventing attackers from forcing users' browsers to perform these actions unintentionally.
Credits
Found, reported and fixed by @yguedidi
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | wallabag/wallabag | all versions | 2.6.11 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wallabag/wallabag. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update wallabag/wallabag to 2.6.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-5pm7-cp8f-p2c2 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-5pm7-cp8f-p2c2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-5pm7-cp8f-p2c2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-5pm7-cp8f-p2c2 in your dependencies?
O3 detects GHSA-5pm7-cp8f-p2c2 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.