CVE-2026-49294

Vulnerability

Valhalla versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter [1]. In src/worker.cc:718, the jsonp request parameter is stored unsanitized via options.set_jsonp() and subsequently written directly into the HTTP response body on both success and error paths, with Content-Type set to application/javascript [1]. No validation, output encoding, or allowlist filtering is applied to the callback value at any point in the data flow [1].

Exploitation

An attacker crafts a URL containing arbitrary JavaScript in the JSONP callback parameter, such as /route?json={"jsonp":"alert(document.cookie)//","locations":[{"lat":40,"lon":-74},{"lat":41,"lon":-75}]} [1]. The server responds with the injected JavaScript followed by JSON data and the Content-Type: application/javascript header [1]. The victim must be induced to load this URL via a `` tag, causing the injected script to execute in the context of the serving origin [1]. No authentication or prior access is required; the attack relies on social engineering to make the victim visit the crafted link.

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser session on the Valhalla origin [1]. This can lead to session token theft, credential disclosure, or actions performed on behalf of the victim within the application's security context [1].

Mitigation

No fix was available at the time of publication [1]. The advisory suggests a remediation in the form of a regex validation that restricts the callback value to ^[a-zA-Z_$][a-zA-Z0-9_$.]*$ [1]. Users are advised to apply such input validation or use a Content Security Policy (CSP) to mitigate script execution until an official patched release is provided [1].