Self-XSS in AS_Redis
Description
AS_Redis plugin for AntSword prior to v0.5 is vulnerable to Self-XSS via insufficient input validation in Redis server configuration, leading to code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AS_Redis plugin for AntSword prior to v0.5 is vulnerable to Self-XSS via insufficient input validation in Redis server configuration, leading to code execution.
Vulnerability
The AS_Redis plugin for AntSword, versions prior to v0.5, is vulnerable to Self-XSS due to insufficient input validation and sanitization of the Redis server configuration fields. An attacker can inject arbitrary JavaScript into the host address or other configuration parameters, which is then executed when the victim views or interacts with the plugin's configuration interface [2][3]. The vulnerability exists because the plugin does not properly escape or validate user-supplied input before rendering it in the administrative UI.
Exploitation
To exploit this vulnerability, an attacker must craft a malicious Redis server address containing an XSS payload (e.g., `). The victim must then manually enter or paste this crafted address into the AS_Redis plugin configuration within AntSword. No network-level access or authentication is required beyond the victim's own use of the plugin. Once the configuration is saved and the plugin interface is rendered, the injected script executes in the context of the AntSword application [3]. The attacker can leverage this to execute arbitrary JavaScript, which can then call Node.js functions via eval` or similar mechanisms to achieve code execution [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the AntSword plugin, which can lead to local code execution on the victim's machine. Since AntSword is a penetration testing tool with elevated privileges, this can result in full compromise of the user's environment, including data exfiltration, file manipulation, and further lateral movement [2][3]. The vulnerability is classified as Self-XSS, meaning the victim must perform the action of entering the malicious input, but the impact is severe due to the potential for code execution.
Mitigation
The vulnerability is patched in AS_Redis plugin version v0.5 and later [2]. Users should upgrade to the latest version immediately. No workarounds are documented; the only mitigation is to avoid entering untrusted Redis server addresses into the plugin configuration. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Medicean/AS_Redisv5Range: < 0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- github.com/AntSword-Store/AS_Redis/issues/1mitrex_refsource_MISC
- github.com/Medicean/AS_Redis/security/advisories/GHSA-j8j6-f829-w425mitrex_refsource_CONFIRM
- mp.weixin.qq.com/s/yjuG6DLT_bSRnpggPj21Xwmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.