GHSA-x369-mcw8-8rvj
LOWDark Reader gives users the ability to request style sheets from local web servers
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
darkreadernpmDescription
Description
Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.
Patches
The problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.
The installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, chrome://extensions or about:addons pages.
Users are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.
NPM package
The issue does not affect developers using the darkreader NPM package for website integration. Developers using the setFetchMethod() API must ensure the cross-origin requests are restricted to the intended scope.
Custom forks
Developers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.
Acknowledgements
Security research performed by Brian Carpenter - Deep Fork Cyber.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | darkreader | all versions | 4.9.117 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for darkreader. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update darkreader to 4.9.117 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x369-mcw8-8rvj is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x369-mcw8-8rvj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x369-mcw8-8rvj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x369-mcw8-8rvj in your dependencies?
O3 detects GHSA-x369-mcw8-8rvj across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.