GHSA-9CPJ-QC93-VW8V

Vulnerability from github – Published: 2026-06-17 18:10 – Updated: 2026-06-17 18:10
VLAI?
Summary
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
Details

Summary

Me again.

Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted .gltf files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using innerHTML without sanitization. An attacker who can push a .gltf file to any repository can execute arbitrary JavaScript in the context of any user who views the file.

Affected Versions

  • Gitea 1.25.0 and later (3D file preview was introduced in 1.25 via the Online3DViewer integration)
  • Confirmed on gitea:1.25-nightly (SHA e33d1da...), which bundles online-3d-viewer npm package v0.16.0
  • The upstream Online3DViewer library is the root cause

Severity

  • Stored XSS: the payload persists in the repository and fires on every page view
  • Executes under the Gitea origin with the victim's session (cookies, CSRF tokens)
  • Any authenticated user viewing the file is compromised
  • Enables full account takeover (token creation, settings modification, repository manipulation)
  • No user interaction beyond viewing the file page is required

Details

Root Cause

When Online3DViewer parses a glTF file, it checks whether all extensionsRequired entries are supported. For unsupported extensions, it calls:

// In the Online3DViewer bundle (online-3d-viewer.js)
// Approximate offset 1142618 in the bundled chunk
this.SetError(yp("Unsupported extension: {0}.", unsupportedExtensions.join(", ")));

The SetError method stores this message, and Gitea's rendering code inserts it into the page using innerHTML:

// Gitea's error display handler
element.innerHTML = errorMessage;  // unsanitized

The extension names from extensionsRequired are taken directly from the JSON file with no escaping or sanitization, allowing HTML injection.

Attack Vector

  1. An attacker creates a .gltf file with a malicious extensionsRequired value:
{
  "asset": {"version": "2.0"},
  "buffers": [],
  "extensionsRequired": ["<img src=x onerror=\"alert(document.cookie)\">"],
  "scenes": []
}
  1. The attacker pushes this file to any Gitea repository they have write access to (including forks of public repositories).

  2. When any user navigates to the file's page in the Gitea web UI, the 3D viewer attempts to render it, encounters the "unsupported extension," and inserts the error message (containing the attacker's HTML) into the DOM via innerHTML.

  3. The injected <img onerror> handler executes arbitrary JavaScript under the Gitea origin with the victim's authenticated session.

Impact

From the XSS context, an attacker can:

  • Create API access tokens for the victim by POSTing to /user/settings/applications with the page's CSRF token
  • Read private repositories via same-origin API calls
  • Modify repository contents (supply chain attacks)
  • Escalate to admin if the victim is a Gitea administrator
  • Exfiltrate data via fetch, XMLHttpRequest, or navigator.sendBeacon

Proof of Concept

Minimal PoC (alert box)

Save as poc.gltf and push to any Gitea 1.25+ repository:

{
  "asset": {"version": "2.0"},
  "buffers": [],
  "extensionsRequired": ["<img src=x onerror=\"alert('XSS: '+document.domain)\">"],
  "scenes": []
}

Navigate to the file in the Gitea web UI. The alert will fire.

Suggested Fixes

Sanitize or text-encode the error message before DOM insertion. Replace innerHTML with textContent for error display:

// Instead of:
element.innerHTML = errorMessage;

// Use:
element.textContent = errorMessage;

Alternatively, escape HTML entities in the error message before insertion.

Additional hardening

  • Render 3D file previews inside a sandboxed <iframe> with sandbox="allow-scripts" and a restrictive CSP (default-src 'none'), similar to how Gitea already handles SVG attachments
  • Apply Content-Security-Policy headers to file preview pages that restrict inline script execution
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.gitea.io/gitea"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.25.0"
            },
            {
              "fixed": "1.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:10:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nMe again.\n\nGitea\u0027s built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using `innerHTML` without sanitization. An attacker who can push a `.gltf` file to any repository can execute arbitrary JavaScript in the context of any user who views the file.\n\n## Affected Versions\n\n- Gitea **1.25.0** and later (3D file preview was introduced in 1.25 via the Online3DViewer integration)\n- Confirmed on `gitea:1.25-nightly` (SHA `e33d1da...`), which bundles `online-3d-viewer` npm package v0.16.0\n- The upstream [Online3DViewer](https://github.com/kovacsv/Online3DViewer) library is the root cause\n\n## Severity\n\n- Stored XSS: the payload persists in the repository and fires on every page view\n- Executes under the Gitea origin with the victim\u0027s session (cookies, CSRF tokens)\n- Any authenticated user viewing the file is compromised\n- Enables full account takeover (token creation, settings modification, repository manipulation)\n- No user interaction beyond viewing the file page is required\n\n## Details\n\n### Root Cause\n\nWhen Online3DViewer parses a glTF file, it checks whether all `extensionsRequired` entries are supported. For unsupported extensions, it calls:\n\n```javascript\n// In the Online3DViewer bundle (online-3d-viewer.js)\n// Approximate offset 1142618 in the bundled chunk\nthis.SetError(yp(\"Unsupported extension: {0}.\", unsupportedExtensions.join(\", \")));\n```\n\nThe `SetError` method stores this message, and Gitea\u0027s rendering code inserts it into the page using `innerHTML`:\n\n```javascript\n// Gitea\u0027s error display handler\nelement.innerHTML = errorMessage;  // unsanitized\n```\n\nThe extension names from `extensionsRequired` are taken directly from the JSON file with no escaping or sanitization, allowing HTML injection.\n\n### Attack Vector\n\n1. An attacker creates a `.gltf` file with a malicious `extensionsRequired` value:\n\n```json\n{\n  \"asset\": {\"version\": \"2.0\"},\n  \"buffers\": [],\n  \"extensionsRequired\": [\"\u003cimg src=x onerror=\\\"alert(document.cookie)\\\"\u003e\"],\n  \"scenes\": []\n}\n```\n\n2. The attacker pushes this file to any Gitea repository they have write access to (including forks of public repositories).\n\n3. When any user navigates to the file\u0027s page in the Gitea web UI, the 3D viewer attempts to render it, encounters the \"unsupported extension,\" and inserts the error message (containing the attacker\u0027s HTML) into the DOM via `innerHTML`.\n\n4. The injected `\u003cimg onerror\u003e` handler executes arbitrary JavaScript under the Gitea origin with the victim\u0027s authenticated session.\n\n### Impact\n\nFrom the XSS context, an attacker can:\n\n- **Create API access tokens** for the victim by POSTing to `/user/settings/applications` with the page\u0027s CSRF token\n- **Read private repositories** via same-origin API calls\n- **Modify repository contents** (supply chain attacks)\n- **Escalate to admin** if the victim is a Gitea administrator\n- **Exfiltrate data** via `fetch`, `XMLHttpRequest`, or `navigator.sendBeacon`\n\n## Proof of Concept\n\n### Minimal PoC (alert box)\n\nSave as `poc.gltf` and push to any Gitea 1.25+ repository:\n\n```json\n{\n  \"asset\": {\"version\": \"2.0\"},\n  \"buffers\": [],\n  \"extensionsRequired\": [\"\u003cimg src=x onerror=\\\"alert(\u0027XSS: \u0027+document.domain)\\\"\u003e\"],\n  \"scenes\": []\n}\n```\n\nNavigate to the file in the Gitea web UI. The alert will fire.\n\n\n## Suggested Fixes\n\nSanitize or text-encode the error message before DOM insertion. Replace `innerHTML` with `textContent` for error display:\n\n```javascript\n// Instead of:\nelement.innerHTML = errorMessage;\n\n// Use:\nelement.textContent = errorMessage;\n```\n\nAlternatively, escape HTML entities in the error message before insertion.\n\n### Additional hardening\n\n- Render 3D file previews inside a sandboxed `\u003ciframe\u003e` with `sandbox=\"allow-scripts\"` and a restrictive CSP (`default-src \u0027none\u0027`), similar to how Gitea already handles SVG attachments\n- Apply Content-Security-Policy headers to file preview pages that restrict inline script execution",
  "id": "GHSA-9cpj-qc93-vw8v",
  "modified": "2026-06-17T18:10:19Z",
  "published": "2026-06-17T18:10:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-9cpj-qc93-vw8v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-gitea/gitea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…