CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-cwv4-h3j5-w3cf: rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path

lowCVSS 3.7
Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3 Summary plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature. When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page. This can execute script in the browser of any user who visits the affected directory listing. Affected Repository plabayo/rama Affected Component rama-http/src/service/fs/serve_dir/open_file.rs Root Cause The HTML directory listing is constructed using string formatting and inserts untrusted values directly into HTML. The directory listing row includes the file or directory name in both the link text and the href attribute: rows.push(format!( "<tr><td>{5} <a href=\"{1}{2}{0}\">{0}</a></td><td>{3}</td><td>{4}</td></tr>", entry.name, uri.path().trim_end_matches('/'), ... )); The navigation breadcrumb also inserts URI path parts into generated HTML: nav_parts.push(format!("<a href=\"{current_path}\">{part}</a>")); The page title and heading also include the current URI path: <title>Directory listing for .{0}</title> <h1>Directory listing for .{0}</h1> These values are not HTML-escaped before being embedded into the generated page. Security Impact If an application uses ServeDir with DirectoryServeMode::HtmlFileList, an attacker who can create or influence file names inside the served directory can inject HTML or JavaScript into the generated directory listing. Possible impact includes: - Script execution in the browser of users viewing the directory listing - Session or token theft if the application uses cookies or browser-accessible credentials - UI redressing or phishing inside the application origin - Unauthorized

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 3.7
Published
2026-07-07
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-cwv4-h3j5-w3cf

More from GitHub Security Advisories