postmanlabs httpbin CVE-2025-15095
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Cross-site scripting (XSS) vulnerability in postmanlabs httpbin up to version 0.6.1 allows authenticated remote attackers to inject malicious scripts via manipulation of an unknown function in httpbin/core.py, requiring user interaction to execute. Public exploit code is available, and the vendor has not yet responded to early disclosure notification despite a low CVSS score of 2.0 and EPSS exploitation probability of 0.02%, indicating minimal real-world risk despite code availability.
Technical ContextAI
httpbin is a lightweight HTTP request and response testing utility library written in Python. The vulnerability is a reflected or stored XSS flaw (CWE-79) in the core.py module, meaning unsanitized user input is rendered in HTTP responses without proper output encoding. The affected versions (up to 0.6.1) fail to apply context-appropriate escaping to user-controlled data, allowing injection of JavaScript or HTML payloads. This is a classic web application vulnerability class that affects any component exposing user input in responses.
Affected ProductsAI
postmanlabs httpbin versions up to and including 0.6.1 are affected, with the vulnerability present in the httpbin/core.py module (CPE match would be cpe:2.3:a:postmanlabs:httpbin:*:*:*:*:*:*:*:* with version constraint <=0.6.1). The issue was reported via GitHub issues (reference: https://github.com/postmanlabs/httpbin/issues/735) and tracked in VulDB under CVE tracking.
RemediationAI
Upgrade postmanlabs httpbin to a version released after 0.6.1 once a patch is available; however, no patched version is currently confirmed from vendor release notes. As a compensating control pending patch availability, disable or restrict access to the affected httpbin instance to trusted networks only using firewall rules or API gateway authentication, as the vulnerability requires PR:L (authenticated access). If httpbin is exposed via a web application, implement a Web Application Firewall (WAF) with XSS signature detection on output encoding rules to block responses containing script tags or event handlers, though this adds latency and may generate false positives. Monitor the official GitHub repository (https://github.com/postmanlabs/httpbin) for security updates, as the maintainers have not yet responded to disclosure but may release a patch without public notification.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today