Summary
XSS sidekiq-unique-jobs UI server vulnerability
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.
Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a P3 on the BugCrowd taxonomy with the following categorization:
Cross-Site Scripting (XSS) > Reflected > Non-Self
It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:
String escaping and NoSQL injection
The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.
Ref: https://redis.io/docs/management/security/
XSS Vulnerability
Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
/changelogs/locks/expiring_locks
This means if your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths are:
/sidekiq/changelogs/sidekiq/locks/sidekiq/expiring_locks
XSS vulnerability is an instance of CAPEC-32: XSS Through HTTP Query Strings, which is related to CWE-80. In certain cases where it results in a server error with status 500, it could be considered a vector for uncontrolled resource consumption, given that errors can be much more resource intensive that normal requests, and thus CWE-400 & CWE-754 may also be relevant.
Details
Fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
This is an analogous attack vector to that which affected sidekiq gem from version v7.0.4 to v7.0.7, and was given identifiers GHSA-h3r8-h5qw-4r35 & CVE-2023-1892.
The vulnerability in sidekiq-unique-jobs' was not fixed by sidekiq v7.0.8, nor the more recent sidekiq v7.2.0 releases; they are similar but unrelated, distinct vulnerabilities in adjacent projects.
Note #1: The admin web UI for sidekiq-unique-jobs is not protected by any authorization constraint in the default configuration. Auth constraints must be configured by the programmer. It is recommended and expected that users will configure authorization constrains on the "admin" UI. This is not specifically related to the vulnerability but may make users who fail to constrain their "admin" UI even more vulnerable.
Note #2: Most users of the library will not have configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets vulnerable to exposure. The purpose of a sandboxed subdomain is expressly to prevent leaking sensitive data through XSS attacks.
XSS Fix PR: https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829
PoC
XSS
Use a string like:
%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
as the value for one of the parameters that are handled without escaping.
Reference: https://liveoverflow.com/do-not-use-alert-1-in-xss/
- Visit /sidekiq/changelogs - with a crafted query string like one of the following:
a. Screenshot:
b.filteris XSS vulnerable:?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
c.countis vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E- Screenshot:
- Visit /sidekiq/locks - with a crafted query string like one of the following:
a. Screenshot:
b.filteris XSS vulnerable:?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
c.countis vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E- Screenshot:
- Visit /sidekiq/expiring_locks - with a crafted query string like one of the following:
a. Screenshot:
b.filteris XSS vulnerable:?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
Impact
This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2024-25122 has a CVSS score of 7.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (8.0.7, 7.1.33); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
sidekiq-unique-jobs to 8.0.7 or later; sidekiq-unique-jobs to 7.1.33 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-25122? CVE-2024-25122 is a high-severity cross-site scripting (XSS) vulnerability in sidekiq-unique-jobs (rubygems), affecting versions >= 8.0.0, < 8.0.7. It is fixed in 8.0.7, 7.1.33. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2024-25122? CVE-2024-25122 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of sidekiq-unique-jobs are affected by CVE-2024-25122? sidekiq-unique-jobs (rubygems) versions >= 8.0.0, < 8.0.7 is affected.
- Is there a fix for CVE-2024-25122? Yes. CVE-2024-25122 is fixed in 8.0.7, 7.1.33. Upgrade to this version or later.
- Is CVE-2024-25122 exploitable, and should I be worried? Whether CVE-2024-25122 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-25122 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-25122?
- Upgrade
sidekiq-unique-jobsto 8.0.7 or later - Upgrade
sidekiq-unique-jobsto 7.1.33 or later
- Upgrade