CVE-2025-10944

The vulnerability resides in the ip function within ip.php of the yi-ge/get-header-ip library (up to commit 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15). The function directly incorporates the user-supplied callback argument into the response without proper sanitization or encoding, leading to a reflected cross-site scripting (XSS) flaw [1].

An attacker can exploit this by crafting a malicious URL that includes a callback parameter containing JavaScript payload. The attack is remotely initiated and does not require authentication, as the vulnerable endpoint is publicly accessible. The victim only needs to visit the crafted link, for example via phishing or social engineering.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, or defacement of the page. The CVSS v3 base score of 3.5 reflects the low severity due to the need for user interaction and the limited impact on confidentiality and integrity.

The vendor was contacted but did not respond, and the library follows a rolling release model without specific version tags. As of the publication date, no official patch is available. Users are advised to avoid using the library or to implement input validation and output encoding for the callback parameter as a workaround.