VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 28, 2020· Updated Aug 4, 2024

CVE-2019-10770

CVE-2019-10770

Description

Ratpack Core versions 0.9.10 through 1.7.5 are vulnerable to reflected XSS via the development mode error handler when exception messages include untrusted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ratpack Core versions 0.9.10 through 1.7.5 are vulnerable to reflected XSS via the development mode error handler when exception messages include untrusted input.

Vulnerability

Overview

CVE-2019-10770 is a Cross-site Scripting (XSS) vulnerability in the io.ratpack:ratpack-core library, affecting all versions from 0.9.10 to just before 1.7.6 [1][2]. The flaw lies in the development mode error handler, which renders exception messages directly into an HTML response without proper escaping. When an exception message contains untrusted data (e.g., user-supplied strings), the handler delivers that content unmodified to the browser, allowing injection of arbitrary HTML or JavaScript [3]. Notably, the production mode error handler is not affected; exploitation in a production environment would require that development mode remains enabled [1][2].

Exploitation

Scenario

An attacker can trigger the vulnerability by causing the application to throw an exception whose message includes attacker-controlled content. For example, a query parameter value could be concatenated into a RuntimeException message. If the exception occurs while development(true) is set, the error page will reflect the unescaped message, executing any embedded script in the user's browser [2][4]. No authentication is required if the attacker can reach an endpoint that generates such an error. The attack vector is simple but depends on the developer's choice to leave development mode active in production or on a publicly accessible staging environment.

Impact

Successful exploitation results in reflected XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to session hijacking, credential theft, or defacement. The severity is moderate (CVSS 6.1) because the vulnerability requires user interaction (e.g., clicking a crafted link) and only affects the development error handler [1].

Mitigation

The issue is patched in Ratpack version 1.7.6, which introduced HTML escaping in the error handler's output [3][4]. Users should upgrade to this version or later. As a workaround, ensure development mode is disabled in production environments and avoid using untrusted data in exception messages during development [4]. No known exploitation in the wild was reported at the time of publication, but the vulnerability is straightforward to exploit if conditions are met.

References
  1. NVD - CVE-2019-10770
  2. Snyk Vulnerability Database | Snyk
  3. Escape user input rendered to the response in the development error h… · ratpack/ratpack@a3cbb13
  4. Default development error handler is vulnerable to HTML content injection (XSS)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.ratpack:ratpack-coreMaven
< 1.7.61.7.6

Affected products

2

Patches

1
a3cbb13be152

Escape user input rendered to the response in the development error handler.

https://github.com/ratpack/ratpackJohn EngelmanJan 14, 2020via ghsa
commit
2 files changed · +31 1
  • ratpack-core/src/main/java/ratpack/error/internal/ErrorPageRenderer.java+5 1 modified
    @@ -81,7 +81,7 @@ protected void throwable(BodyWriter w, Throwable throwable, boolean isCause) {
         w.escape("Caused by: ");
       }
 
-      w.println(throwable.toString());
+      w.escapeln(throwable.toString());
       for (StackTraceElement ste : throwable.getStackTrace()) {
         String className = ste.getClassName();
         if (className.startsWith("ratpack")
@@ -120,6 +120,10 @@ BodyWriter println(String string) {
     BodyWriter escape(String string) {
       return print(HTML_ESCAPER.escape(string));
     }
+
+    BodyWriter escapeln(String string) {
+      return println(HTML_ESCAPER.escape(string));
+    }
   }
 
   protected void messages(BodyWriter writer, String heading, Runnable block) {
  • ratpack-core/src/test/groovy/ratpack/error/DevelopmentErrorHandlerSpec.groovy+26 0 modified
    @@ -16,10 +16,14 @@
 
 package ratpack.error
 
+import com.google.common.escape.Escaper
+import com.google.common.html.HtmlEscapers
 import ratpack.test.internal.RatpackGroovyDslSpec
 
 class DevelopmentErrorHandlerSpec extends RatpackGroovyDslSpec {
 
+  private static final Escaper HTML_ESCAPER = HtmlEscapers.htmlEscaper()
+
   def "debug error handler prints html info if client wants html"() {
     given:
     def e = new RuntimeException("!")
@@ -96,4 +100,26 @@ class DevelopmentErrorHandlerSpec extends RatpackGroovyDslSpec {
       body.contentType.text
     }
   }
+
+  def "debug error handler properly escapes HTML characters"() {
+    given:
+    def payload = "<script>alert(1);</script>"
+    def e = new RuntimeException(payload)
+    requestSpec { it.headers.add("Accept", "text/html;q=1,text/plain;q=0.9") }
+
+    when:
+    serverConfig { development(true) }
+    handlers {
+      get("server") { error(e) }
+    }
+
+    then:
+    with(get("server")) {
+      statusCode == 500
+      body.text.startsWith("<!DOCTYPE html>")
+      !body.text.contains(payload)
+      body.text.contains(HTML_ESCAPER.escape(payload))
+      body.contentType.html
+      }
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.