VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 8, 2018· Updated Aug 5, 2024

CVE-2018-6835

CVE-2018-6835

Description

Etherpad Lite before v1.6.3 mishandles JSONP in apicalls.js, allowing remote attackers to bypass access restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Etherpad Lite before v1.6.3 mishandles JSONP in apicalls.js, allowing remote attackers to bypass access restrictions.

Vulnerability

In Etherpad Lite versions prior to v1.6.3, the file node/hooks/express/apicalls.js mishandles JSONP requests by not validating the callback parameter. The code directly concatenates the req.query.jsonp value into the response without checking whether it is a valid JavaScript variable name. This allows an attacker to inject arbitrary function calls or code, bypassing intended access restrictions [1][2][4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the Etherpad API endpoint with a jsonp query parameter containing a malicious callback name. No authentication or prior access is required; the attacker only needs network connectivity to the Etherpad instance. The server then returns a response that executes the attacker-controlled callback, potentially triggering unintended actions [2][4].

Impact

Successful exploitation allows a remote attacker to bypass access restrictions, potentially leading to unauthorized data access, information disclosure, or execution of arbitrary operations within the context of the Etherpad API. The exact impact depends on the API functions exposed, but the vulnerability undermines the intended security boundaries [2][4].

Mitigation

The vulnerability is fixed in Etherpad Lite v1.6.3, released on 2018-02-08 [3]. Users should upgrade to v1.6.3 or later immediately. The fix adds a check using isVarName(response) to ensure the callback parameter is a valid JavaScript variable name before including it in the response [4]. No workarounds are documented; upgrading is the recommended action.

References
  1. GitHub - ether/etherpad: Etherpad: A modern really-real-time collaborative document editor.
  2. NVD - CVE-2018-6835
  3. Release 1.6.3 · ether/etherpad
  4. Merge pull request #3314 from rhelmer/sanitize-jsonp · ether/etherpad@626e58c

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ep_etherpad-litenpm
< 1.6.31.6.3

Affected products

1

Patches

1
626e58cc5af1

Merge pull request #3314 from rhelmer/sanitize-jsonp

https://github.com/ether/etherpad-liteJohn McLearJan 31, 2018via ghsa
commit
2 files changed · +3 2
  • src/node/hooks/express/apicalls.js+1 1 modified
    @@ -18,7 +18,7 @@ var apiCaller = function(req, res, fields) {
     apiLogger.info("RESPONSE, " + req.params.func + ", " + response);
 
     //is this a jsonp call, if yes, add the function call
-    if(req.query.jsonp)
+    if(req.query.jsonp && isVarName(response))
       response = req.query.jsonp + "(" + response + ")";
 
     res._____send(response);
  • src/package.json+2 1 modified
    @@ -43,7 +43,8 @@
                       "jsonminify"              : "0.4.1",
                       "measured"                : "1.1.0",
                       "mocha"                   : "2.4.5",
-                      "supertest"               : "1.2.0"
+                      "supertest"               : "1.2.0",
+                      "is-var-name"             : "1.0.0"
                      },
   "bin":             { "etherpad-lite": "./node/server.js" },
   "devDependencies": {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.