CVE-2017-16018

Vulnerability

Restify, a Node.js framework for building REST APIs, is vulnerable to a cross-site scripting (XSS) flaw in versions 2.0.0 through 4.0.4. The bug occurs in the Router.prototype.find method, where a ResourceNotFoundError error message includes the full request URL without proper sanitization. An attacker can craft a request to a non-existent route with a URL-encoded script tag (e.g., %3Cscript%3Ealert(1)%3C/script%3E) [1][2]. The framework returns this input in the 404 error response body, leading to script execution if the response is rendered in a browser [1][3].

Exploitation

An attacker can exploit this vulnerability by making a crafted HTTP request to any non-existent endpoint of a Restify server, where the URL contains an encoded script payload. No authentication or special network access is required beyond being able to send HTTP requests to the target server. The server automatically includes the unmodified input in the error response. If a user whose browser treats the response as HTML (e.g., via direct navigation or misconfigured MIME handling) views the page, the script executes [1][3].

Impact

Successful exploitation results in stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, data exfiltration, or defacement. The affected component is the HTTP error handling layer, so the scope is limited to the client-side execution; the attacker does not gain server-side control or elevated privileges [3].

Mitigation

Upgrade to Restify version 4.0.5 or later, which fixes the issue by sanitizing the URL before including it in error messages [1][2]. The fix was applied following the GitHub issue report [3]. No official workaround is documented, but users can manually sanitize error output in custom error handlers. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.