CVE-2024-51498
Description
cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit 66bac03e, was mitigated in commit 97977efa (correctly configured web instances were no longer vulnerable) and fully fixed in commit c4be1d3a (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cobalt media downloader is vulnerable to XSS via javascript: links served by malicious instances, fixed in version 10.2.1.
Vulnerability
Description Cobalt, a media downloader, contained a cross-site scripting (XSS) vulnerability in the picker dialog. A malicious cobalt instance could serve a download link using the javascript: protocol. When the user clicks to download an item from the picker, the application would call window.open() with that malicious URL, executing attacker-controlled JavaScript in the context of the victim's browser. This issue was introduced in commit 66bac03e, which added the picker dialog [2].
Exploitation
Conditions An attacker must operate or control a cobalt instance that the victim uses. If the victim attempts to download a media item via the picker, the malicious instance returns a link with the javascript: protocol. There is no requirement for authentication beyond the user voluntarily using the malicious service. The attack vector is network-based with low complexity [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the user's browser. This could lead to theft of session tokens, credentials, or other sensitive data, as well as performing actions on behalf of the user within the context of the cobalt web application.
Mitigation
The vulnerability was partially mitigated in commit 97977efa by adding a Content-Security-Policy header that restricted script sources, protecting correctly configured instances [3]. The definitive fix was implemented in commit c4be1d3a, which validates that the URL protocol is http: or https: before opening, preventing arbitrary protocol execution [4]. This fix is included in release version 10.2.1. Users are advised to upgrade. Those unable to upgrade should enable a Content-Security-Policy to restrict script execution.
- [@imput/cobalt-web] XSS when downloading picker image from malicious instance
- web/dialogs: add picker dialog & clean up small dialog · imputnet/cobalt@66bac03
- web: generate `_headers` & add `Content-Security-Policy` header · imputnet/cobalt@97977ef
- web/download: don't try to open non-https links · imputnet/cobalt@c4be1d3
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
366bac03e307897977efabd92c4be1d3a37b0Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/imputnet/cobalt/commit/66bac03e3078e4e781d2d3903c05ad66a883a354nvd
- github.com/imputnet/cobalt/commit/97977efabd92375f270d1818f38de3b0682c2f19nvd
- github.com/imputnet/cobalt/commit/c4be1d3a37b0deb6b6087ec7a815262ac942daf1nvd
- github.com/imputnet/cobalt/security/advisories/GHSA-cm4c-v4cm-3735nvd
News mentions
0No linked articles in our index yet.