Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-q68h-xwq5-mm7x

HIGH

Cross-site Scripting Vulnerability on Avatar Upload

Also known asCVE-2023-47115PYSEC-2024-126
Published
Jan 24, 2024
Updated
Nov 22, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
1.4%probability of exploitation in next 30 days
Lower Risk70th percentile-1.77%
0.92%1.86%2.81%3.75%2.3%1.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐍label-studio

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Introduction

This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2 and was tested on version 1.8.2.

Overview

Label Studio has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.

Description

The following code snippet in Label Studio shows that the only verification check is that the file is an image by extracting the dimensions from the file.


def hash_upload(instance, filename):
    filename = str(uuid.uuid4())[0:8] + '-' + filename
    return settings.AVATAR_PATH + '/' + filename <3>


def check_avatar(files):
    images = list(files.items())
    if not images:
        return None

    filename, avatar = list(files.items())[0]  # get first file
    w, h = get_image_dimensions(avatar) <1>
    if not w or not h:
        raise forms.ValidationError("Can't read image, try another one")

    # validate dimensions
    max_width = max_height = 1200
    if w > max_width or h > max_height:
        raise forms.ValidationError('Please use an image that is %s x %s pixels or smaller.'
                                    % (max_width, max_height))

    # validate content type
    main, sub = avatar.content_type.split('/') <2>
    if not (main == 'image' and sub.lower() in ['jpeg', 'jpg', 'gif', 'png']):
        raise forms.ValidationError(u'Please use a JPEG, GIF or PNG image.')

    # validate file size
    max_size = 1024 * 1024
    if len(avatar) > max_size:
        raise forms.ValidationError('Avatar file size may not exceed ' + str(max_size/1024) + ' kb')

    return avatar
  1. Attempts to get image dimensions to validate the uploaded avatar file is an image.
  2. Extracts the Content-Type from the upload POST request. A user can easily bypass this verification by changing the mimetype of the uploaded file to an allowed type (eg. image/jpeg).
  3. The file extension of the uploaded file is never validated and is saved to the filesystem.

Label Studio serves avatar images using Django's built-in serve view, which is not secure for production use according to Django's documentation.

    re_path(r'^data/' + settings.AVATAR_PATH + '/(?P<path>.*)$', serve,
            kwargs={'document_root': join(settings.MEDIA_ROOT, settings.AVATAR_PATH)}),

The issue with the Django serve view is that it determines the Content-Type of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a .html extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.

Proof of Concept

Below are the steps to reproduce this issue and execute JavaScript code in the context of the Label Studio website.

  1. Using any JPEG or PNG image, add in the comment field in the metadata the HTML code <script>alert(document.domain)</script>. This can be done using the exiftool command as shown below that was used to create the following image.
exiftool -Comment='<script>alert(document.domain)</script>' penguin.jpg

xss-penguin

  1. On Label Studio, navigate to account & settings page and intercept the upload request of the avatar image using a tool such as Burp Suite. Modify the filename in the request to have a .html extension.

  2. Right click the image on the avatar profile and copy the URL. Send this to a victim and it will display an alert box with the host name of the Label Studio instance as shown below.

xss-alert

Impact

Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.

Remediation Advice

  • Validate the file extension on the server side, not in client-side code.
  • Remove the use of Django's serve view and implement a secure controller for viewing uploaded avatar images.
  • Consider saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities.
  • Avoid trusting user controlled inputs.

Discovered

  • August 2023, Alex Brown, elttam

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIlabel-studioall versions1.9.2
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Label Studio is an a popular open source data labeling tool. Versions pr…

github.comNVDFeb 2024

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for label-studio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update label-studio to 1.9.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q68h-xwq5-mm7x is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-q68h-xwq5-mm7x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-q68h-xwq5-mm7x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2` and was tested on version `1.8.2`. # Overview [Label Studio](https://github.com/HumanSignal/label-studio) has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. # Description The following [code snippet in Label Studi
O3 Security · Impact-Aware SCA

Is GHSA-q68h-xwq5-mm7x in your dependencies?

O3 detects GHSA-q68h-xwq5-mm7x across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works