GHSA-cwv4-h3j5-w3cf: rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3
Summary
plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature.
When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page.
This can execute script in the browser of any user who visits the affected directory listing.
Affected Repository
plabayo/rama
Affected Component
rama-http/src/service/fs/serve_dir/open_file.rs
Root Cause
The HTML directory listing is constructed using string formatting and inserts untrusted values directly into HTML.
The directory listing row includes the file or directory name in both the link text and the href attribute:
rows.push(format!(
"<tr><td>{5} <a href=\"{1}{2}{0}\">{0}</a></td><td>{3}</td><td>{4}</td></tr>",
entry.name,
uri.path().trim_end_matches('/'),
...
));
The navigation breadcrumb also inserts URI path parts into generated HTML:
nav_parts.push(format!("<a href=\"{current_path}\">{part}</a>"));
The page title and heading also include the current URI path:
<title>Directory listing for .{0}</title>
<h1>Directory listing for .{0}</h1>
These values are not HTML-escaped before being embedded into the generated page.
Security Impact
If an application uses ServeDir with DirectoryServeMode::HtmlFileList, an attacker who can create or influence file names inside the served directory can inject HTML or JavaScript into the generated directory listing.
Possible impact includes:
- Script execution in the browser of users viewing the directory listing
- Session or token theft if the application uses cookies or browser-accessible credentials
- UI redressing or phishing inside the application origin
- Unauthorized
Details
Original advisory: https://github.com/advisories/GHSA-cwv4-h3j5-w3cf
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10