Skip to main content

postmanlabs httpbin CVE-2025-15095

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-12-26 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 03:01 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site scripting (XSS) vulnerability in postmanlabs httpbin up to version 0.6.1 allows authenticated remote attackers to inject malicious scripts via manipulation of an unknown function in httpbin/core.py, requiring user interaction to execute. Public exploit code is available, and the vendor has not yet responded to early disclosure notification despite a low CVSS score of 2.0 and EPSS exploitation probability of 0.02%, indicating minimal real-world risk despite code availability.

Technical ContextAI

httpbin is a lightweight HTTP request and response testing utility library written in Python. The vulnerability is a reflected or stored XSS flaw (CWE-79) in the core.py module, meaning unsanitized user input is rendered in HTTP responses without proper output encoding. The affected versions (up to 0.6.1) fail to apply context-appropriate escaping to user-controlled data, allowing injection of JavaScript or HTML payloads. This is a classic web application vulnerability class that affects any component exposing user input in responses.

Affected ProductsAI

postmanlabs httpbin versions up to and including 0.6.1 are affected, with the vulnerability present in the httpbin/core.py module (CPE match would be cpe:2.3:a:postmanlabs:httpbin:*:*:*:*:*:*:*:* with version constraint <=0.6.1). The issue was reported via GitHub issues (reference: https://github.com/postmanlabs/httpbin/issues/735) and tracked in VulDB under CVE tracking.

RemediationAI

Upgrade postmanlabs httpbin to a version released after 0.6.1 once a patch is available; however, no patched version is currently confirmed from vendor release notes. As a compensating control pending patch availability, disable or restrict access to the affected httpbin instance to trusted networks only using firewall rules or API gateway authentication, as the vulnerability requires PR:L (authenticated access). If httpbin is exposed via a web application, implement a Web Application Firewall (WAF) with XSS signature detection on output encoding rules to block responses containing script tags or event handlers, though this adds latency and may generate false positives. Monitor the official GitHub repository (https://github.com/postmanlabs/httpbin) for security updates, as the maintainers have not yet responded to disclosure but may release a patch without public notification.

Share

CVE-2025-15095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy