Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS requiring victim interaction (UI:R); no privileges needed; scope changes to victim browser origin (S:C); confidentiality and integrity limited to session-level data, no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
AnalysisAI
Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.
Technical ContextAI
Valhalla is an open-source C++ routing engine (CPE: cpe:2.3:a:valhalla:valhalla:*:*:*:*:*:*:*:*) built on OpenStreetMap data, exposing HTTP APIs for routing and map-matching. It supports JSONP (JSON with Padding), a legacy browser technique for cross-origin data access predating CORS, where the API wraps a JSON response in a caller-supplied JavaScript function name. The flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because the callback parameter value is written directly into the HTTP response body - with Content-Type: application/javascript - without validation, output encoding, or allowlist filtering. This is a textbook reflected XSS variant: the server acts as an unwilling script host, reflecting attacker-controlled content to victim browsers. The CVSS S:C metric confirms scope change: the vulnerability is on the Valhalla server, but the impact materialises in the victim's browser within the Valhalla origin.
RemediationAI
No vendor-released patch has been identified at time of analysis - the CVE description explicitly states this issue was not fixed at time of publication. Operators should monitor the upstream repository at https://github.com/valhalla/valhalla and the advisory GHSA-85xx-39j8-r56x for patch availability. As immediate compensating controls: disable JSONP support entirely at the application or reverse-proxy layer if CORS is a viable alternative for cross-origin consumers, since modern browsers universally support CORS and JSONP is a legacy pattern. If disabling JSONP is not feasible, deploy a Web Application Firewall (WAF) rule to validate that the callback parameter matches a strict alphanumeric allowlist (e.g., [a-zA-Z0-9_]{1,64}) and reject or strip any request that does not conform - note this introduces a risk of breaking legitimate integrations that use non-standard callback names. Additionally, restrict network access to the Valhalla API to trusted internal networks where possible, reducing the pool of potential attackers who can deliver crafted URLs. None of these controls address the root cause; patching remains the definitive fix.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36741