CVE-2019-1010199
Description
ServiceStack Framework 4.5.14 reflected XSS vulnerability in GET request query parameters allows arbitrary JavaScript execution via crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ServiceStack Framework 4.5.14 reflected XSS vulnerability in GET request query parameters allows arbitrary JavaScript execution via crafted URL.
Description
ServiceStack Framework version 4.5.14 contains a reflected Cross-Site Scripting (XSS) vulnerability in the GET request query parameters. The root cause is the lack of proper server-side validation and encoding of the raw URL in the HtmlFormat snapshot. The fix implemented in commit a0e0d7d involves HTML-encoding the raw URL to prevent script injection [3].
Exploitation
An attacker can exploit this by crafting a URL with a malicious JavaScript payload in the query string. Since the server reflects the input without proper sanitization, the payload is included in the HTML response. If the browser's encoding is bypassed, the victim's browser will execute the script upon visiting the crafted URL. No authentication is required [2].
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser within the context of the vulnerable website. This can lead to session theft, credential harvesting, or other client-side attacks. The vulnerability is classified as XSS with a CVSS score not yet provided by NIST [2].
Mitigation
The vulnerability is fixed in ServiceStack version 5.2.0. Users should upgrade to this version or later. The commit [3] shows the specific change that addresses the issue. No official workarounds are documented, but applying input validation and output encoding on all user-supplied data can reduce risk.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ServiceStackNuGet | >= 4.5.14, < 5.2.0 | 5.2.0 |
Affected products
2- Range: 4.5.14 [fixed: 5.2.0]
Patches
1a0e0d7de20f5HtmlEncode Raw URL in HtmlFormat snapshot
1 file changed · +3 −2
src/ServiceStack/Formats/HtmlFormat.cs+3 −2 modified@@ -90,12 +90,13 @@ public async Task SerializeToStreamAsync(IRequest req, object response, Stream o { // Serialize then escape any potential script tags to avoid XSS when displaying as HTML var json = JsonDataContractSerializer.Instance.SerializeToString(dto) ?? "null"; - json = json.Replace("<", "<").Replace(">", ">"); + json = json.HtmlEncode(); var url = req.ResolveAbsoluteUrl() .Replace("format=html", "") .Replace("format=shtm", "") - .TrimEnd('?', '&'); + .TrimEnd('?', '&') + .HtmlEncode(); url += url.Contains("?") ? "&" : "?";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-vcfc-9wcp-j623ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1010199ghsaADVISORY
- github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.