Critical severityNVD Advisory· Published Feb 2, 2024· Updated Jun 3, 2025

CVE-2024-1143

Description

Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Central Dogma versions prior to 0.64.1 contain a cross-site scripting vulnerability in SAML RelayState that can leak user sessions and bypass authentication.

Vulnerability

Overview

Central Dogma versions prior to 0.64.1 are vulnerable to a Cross-Site Scripting (XSS) attack targeting the RelayState parameter in its SAML authentication handler [1][3]. The root cause is insufficient sanitization of the RelayState value before rendering it in an HTML page, allowing an attacker to inject arbitrary JavaScript [2].

Exploitation

Scenario

The XSS vulnerability can be exploited by tricking a legitimate user into clicking a crafted link or visiting a malicious SAML identity provider session that injects script code into the RelayState field [3]. The attacker does not need prior authentication, as the injection is delivered during the SAML assertion process. Once the script executes in the victim's browser context, it can capture the user's session token.

Impact

Successful exploitation enables an attacker to leak a victim's session identifier, leading to session hijacking and authentication bypass [1][3]. This can result in unauthorized access to service configurations and other sensitive resources managed by Central Dogma.

Mitigation

The vulnerability is fixed in Central Dogma version 0.64.1 [3]. No viable workarounds are available; users must upgrade to the patched version to remediate the issue [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.linecorp.centraldogma:centraldogma-serverMaven	< 0.64.1	0.64.1

Affected products

N-LINE/N-LINEllm-fuzzy
Range: <0.64.1
ghsa-coords
pkg:maven/com.linecorp.centraldogma/centraldogma-server
Range: < 0.64.1
LINE Corporation/Central Dogmav5
Range: 0.63.3

Patches

8edcf913b881

Merge pull request from GHSA-34q3-p352-c7q8

https://github.com/line/centraldogmaminuxFeb 2, 2024via ghsa

commit

2 files changed · +74 −2

server-auth/saml/src/main/java/com/linecorp/centraldogma/server/auth/saml/SamlAuthSsoHandler.java+4 −2 modified

@@ -38,6 +38,7 @@
 import org.opensaml.saml.saml2.core.Response;
 
 import com.google.common.base.Strings;
+import com.google.common.html.HtmlEscapers;
 
 import com.linecorp.armeria.common.AggregatedHttpRequest;
 import com.linecorp.armeria.common.HttpRequest;
@@ -125,11 +126,12 @@ public HttpResponse loginSucceeded(ServiceRequestContext ctx, AggregatedHttpRequ
 
         final String redirectionScript;
         if (!Strings.isNullOrEmpty(relayState)) {
-            redirectionScript = "window.location.href='/#" + relayState + '\'';
+            redirectionScript = "window.location.href='/#" +
+                                HtmlEscapers.htmlEscaper().escape(relayState) + '\'';
         } else {
             redirectionScript = "window.location.href='/'";
         }
-        return HttpResponse.from(loginSessionPropagator.apply(session).thenApply(
+        return HttpResponse.of(loginSessionPropagator.apply(session).thenApply(
                 unused -> HttpResponse.of(HttpStatus.OK, MediaType.HTML_UTF_8, getHtmlWithOnload(
                         "localStorage.setItem('sessionId','" + sessionId + "')",
                         redirectionScript))));

server-auth/saml/src/test/java/com/linecorp/centraldogma/server/auth/saml/SamlAuthSsoHandlerTest.java+70 −0 added

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2024 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package com.linecorp.centraldogma.server.auth.saml;
+
+import static com.linecorp.centraldogma.server.auth.saml.HtmlUtil.getHtmlWithOnload;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.time.Duration;
+import java.util.concurrent.CompletableFuture;
+
+import org.junit.jupiter.api.Test;
+import org.opensaml.messaging.context.MessageContext;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Subject;
+
+import com.google.common.collect.ImmutableList;
+
+import com.linecorp.armeria.common.AggregatedHttpRequest;
+import com.linecorp.armeria.common.HttpMethod;
+import com.linecorp.armeria.common.HttpResponse;
+import com.linecorp.armeria.server.ServiceRequestContext;
+
+class SamlAuthSsoHandlerTest {
+
+    @Test
+    void relayStateIsHtmlEscaped() {
+        final SamlAuthSsoHandler samlAuthSsoHandler =
+                new SamlAuthSsoHandler(() -> "id", session -> CompletableFuture.completedFuture(null),
+                                       Duration.ofDays(1), name -> "foo", "foo", null);
+
+        final AggregatedHttpRequest req = AggregatedHttpRequest.of(HttpMethod.GET, "/");
+        final ServiceRequestContext ctx = ServiceRequestContext.of(req.toHttpRequest());
+
+        final NameID nameId = mock(NameID.class);
+        when(nameId.getFormat()).thenReturn("foo");
+        when(nameId.getValue()).thenReturn("foo");
+        final Subject subject = mock(Subject.class);
+        when(subject.getNameID()).thenReturn(nameId);
+        final Assertion assertion = mock(Assertion.class);
+        when(assertion.getSubject()).thenReturn(subject);
+        final Response response = mock(Response.class);
+        when(response.getAssertions()).thenReturn(ImmutableList.of(assertion));
+
+        final MessageContext<Response> messageContext = new MessageContext<>();
+        messageContext.setMessage(response);
+        final String relayState = "'.substr(0.1)'\"&<>";
+        final HttpResponse httpResponse =
+                samlAuthSsoHandler.loginSucceeded(ctx, req, messageContext, null, relayState);
+        assertThat(httpResponse.aggregate().join().contentUtf8()).isEqualTo(getHtmlWithOnload(
+                "localStorage.setItem('sessionId','id')",
+                "window.location.href='/#&#39;.substr(0.1)&#39;&quot;&amp;&lt;&gt;'"));
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34q3-p352-c7q8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-1143ghsaADVISORY
github.com/line/centraldogma/commit/8edcf913b88101aff70008156b0881850e005783ghsaWEB
github.com/line/centraldogma/security/advisories/GHSA-34q3-p352-c7q8ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000