GHSL-2023-258_GHSL-2023-259: Reflected XSS vulnerability and CORS issue in tamagui

Coordinated Disclosure Timeline

• 2023-12-07: Vulnerability Report Sent to maintainer email.
• 2023-12-11: Fixes Deployed by maintainer.

Summary

A reflected XSS vulnerability and a CORS issue are present on the tamagui website, tamagui.dev. These vulnerabilities may allow an attacker to leak the cookies of users, and thus impersonate users on the website.

Project

tamagui

Tested Version

Latest

Details

Issue 1: reflected XSS in /login (GHSL-2023-258)

A reflected XSS vulnerabilty exists in useForwardToDashboard.tsx. If a user were to click on a specially crafted tamagui link given by an attacker, they are prompted to sign in (pressing the GitHub login button). After completion, the attacker can steal the user’s cookie and impersonate the user.

 useEffect(() => {
    const main = async () => {
      if (user && !isLoading) {
        if (router.query.studio) {
          location.href =
            process.env.NODE_ENV === 'development'
              ? 'http://localhost:1421'
              : 'https://studio.tamagui.dev'
        } else {
          await router.replace(
            typeof router.query.redirect_to === 'string'
              ? router.query.redirect_to      // < ----- redirect_to parameter is potentially attacker controlled
              : '/account'
          )
        }
      }
    }

In addition to being an XSS vulnerability, this is also an open redirect vulnerability because an attacker can redirect a user to any domain of their choosing.

This vulnerability was found with the help of CodeQL’s XSS Query.

Impact

This issue may lead to Information Disclosure and Privilege Escalation.

Issue 2: CORS Issue in protectApiRoute (GHSL-2023-259)

A logic issue is present in the setupCors function, used to protect sensitives APIs. The middleware only checks if the origin ends with a allowlist of possible domains, allowing an attacker to bypass the filter.

export function setupCors(req: NextApiRequest, res: NextApiResponse) {
  const origin = req.headers.origin

  if (
    typeof origin === 'string' &&
    (origin.endsWith('tamagui.dev') ||
      origin.endsWith('localhost:1421') ||
      origin.endsWith('stripe.com'))
  ) {
    res.setHeader('Access-Control-Allow-Origin', origin)
    res.setHeader('Access-Control-Allow-Credentials', 'true')
  }
}

If an attacker is able to get a logged in user to access a malicious website, they could steal the user’s credentials and login as them.

This vulnerability was found with the help of CodeQL’s CORS query.

Impact

This issue may lead to Information Disclosure

CVE

• This is a bug present in the tamagui.dev website itself, not in an open source product. As such, it does not warrant notification of downstream consumers for any action on their side.

Credit

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-258 or GHSL-2023-259 in any communication regarding these issues.