Coordinated Disclosure Timeline
- 2024-02-26: Advisory sent.
- 2024-03-26: After discussion with maintainer, patching this issue would require disabling a major feature of the extension in exchange for a low severity vulnerability. Decision to not patch issue.
Summary
The MouseTooltipTranslator browser extension is vulnerable to SSRF attacks. A malicious website may be able to coerce the extension to send a GET request to an arbitrary URL.
Project
MouseTooltipTranslator
Tested Version
Details
Blind SSRF in pdf.mjs (GHSL-2024-018)
The pdf.mjs script uses the URL parameter from the current URL as the file to download and display to the extension user.
fetch(url, createFetchOptions(this._headers, this._withCredentials, this._abortController)).then(response => {
if (!(0,_network_utils_js__WEBPACK_IMPORTED_MODULE_1__.validateResponseStatus)(response.status)) {
throw (0,_network_utils_js__WEBPACK_IMPORTED_MODULE_1__.createResponseStatusError)(response.status, url);
}
Because pdf.mjs is imported in viewer.html and viewer.html is accessible to all URLs, an attacker can force the user’s browser to make a request to any arbitrary URL.
"web_accessible_resources": [{
"resources": ["pdfjs/web/viewer.html", "ocr.html", "opencvHandler.html", "videoHandler.js","googleDocInject.js","subtitle.js"],
"matches": ["<all_urls>"]
}],
Impact
This issue may lead to Privilege Escalation. A SSRF breaks the integrity of servers running on a private network. A user of the browser extension may have an local server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving a request instantiated from an attacker, this integrity is broken.
CVE
- CVE-2025-25303 - GHSL-2024-018
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-018 in any communication regarding this issue.