VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 29, 2022· Updated Aug 3, 2024

CVE-2022-29947

CVE-2022-29947

Description

Woodpecker before 0.15.1 lacks HTML escaping in build logs, allowing stored XSS via crafted log output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Woodpecker before 0.15.1 lacks HTML escaping in build logs, allowing stored XSS via crafted log output.

Vulnerability

The vulnerability resides in the Woodpecker CI/CD web interface, specifically in the file web/src/components/repo/build/BuildLog.vue. Prior to version 0.15.1, the component that renders build logs did not escape HTML or XML characters. This allows an attacker who can inject unescaped HTML into build log output to execute arbitrary JavaScript in the context of any Woodpecker user viewing those logs. Affected versions are all releases before 0.15.1 [1][2][4].

Exploitation

The attacker must have the ability to produce build output that includes unescaped HTML tags. In a typical CI/CD setup, this can be achieved by committing code to a repository that triggers a pipeline step which prints attacker-controlled content (e.g., via echo or a script). When a Woodpecker user (including project maintainers or other developers) views the build logs through the web UI, the injected HTML/JavaScript executes in their browser. No additional authentication is required beyond normal access to view build results [2][4].

Impact

Successful exploitation results in XSS (cross-site scripting), allowing the attacker to execute arbitrary JavaScript in the victim's browser session. Depending on the user's permissions, this could lead to session hijacking, theft of API tokens, unauthorized actions on repositories, or information disclosure. The attack does not compromise the server itself but affects users accessing the web interface [2][4].

Mitigation

The vulnerability is fixed in Woodpecker version 0.15.1, released on April 13, 2022 [1]. Users should upgrade to v0.15.1 or later. There are no known workarounds. The fix was implemented in pull request #879, which introduced proper HTML escaping in the log view component [4]. No evidence of exploitation in the wild or KEV listing is reported in the available references.

References
  1. Release v0.15.1 · woodpecker-ci/woodpecker
  2. NVD - CVE-2022-29947
  3. Escape html / xml in log view by anbraten · Pull Request #879 · woodpecker-ci/woodpecker

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/woodpecker-ci/woodpeckerGo
< 0.15.10.15.1

Affected products

2

Patches

2
f2bf5931c283

fix: ansi logging (#880)

https://github.com/woodpecker-ci/woodpeckerAnbratenApr 13, 2022via osv
commit
1 file changed · +1 1
  • web/src/components/repo/build/BuildLog.vue+1 1 modified
    @@ -67,7 +67,7 @@ export default defineComponent({
     const repo = inject<Ref<Repo>>('repo');
     const buildProc = useBuildProc();
 
-    const ansiConvert = new AnsiConvert();
+    const ansiConvert = new AnsiConvert({ escapeXML: true });
     const logLines = computed(() => buildProc.logs.value?.map((l) => ({ ...l, out: ansiConvert.toHtml(l.out) })));
     const proc = computed(() => build.value && findProc(build.value.procs || [], procId.value));
3064975afdbc

fix: ansi logging (#879)

https://github.com/woodpecker-ci/woodpeckerAnbratenApr 13, 2022via ghsa-ref
commitPR #879
1 file changed · +1 1
  • web/src/components/repo/build/BuildLog.vue+1 1 modified
    @@ -67,7 +67,7 @@ export default defineComponent({
     const repo = inject<Ref<Repo>>('repo');
     const buildProc = useBuildProc();
 
-    const ansiConvert = new AnsiConvert();
+    const ansiConvert = new AnsiConvert({ escapeXML: true });
     const logLines = computed(() => buildProc.logs.value?.map((l) => ({ ...l, out: ansiConvert.toHtml(l.out) })));
     const proc = computed(() => build.value && findProc(build.value.procs || [], procId.value));

Vulnerability mechanics

Root cause

"Missing XML/HTML escaping in ANSI-to-HTML conversion allows injection of arbitrary HTML into build log output."

Attack vector

An attacker who can inject arbitrary text into a CI build log (e.g., by controlling a step's output) can embed malicious HTML/JavaScript. When a victim views the build logs in the Woodpecker web UI, the unescaped content is rendered as HTML, leading to stored XSS. No special network position is required beyond the ability to trigger a build step that produces crafted output.

Affected code

The vulnerability resides in `web/src/components/repo/build/BuildLog.vue`. The component creates an `AnsiConvert` instance without the `escapeXML: true` option, so ANSI-to-HTML conversion does not escape XML/HTML entities in build log output.

What the fix does

Both patches change the `AnsiConvert` constructor call from `new AnsiConvert()` to `new AnsiConvert({ escapeXML: true })`. This tells the ANSI conversion library to escape XML special characters (`

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.