GHSA-V7QW-HX66-4W9X

GHSA-V7QW-HX66-4W9X is a high-severity cross-site scripting (XSS) vulnerability in netbox-data-flows (pip), affecting versions <= 1.5.0. It is fixed in 1.5.1.

Summary

An authenticated user who can create or edit ObjectAlias objects can store arbitrary HTML/JavaScript in an alias name. That payload is later rendered unescaped in DataFlow table views, causing a stored XSS when another user views the affected page.

Details

The issue is caused by unsafe HTML generation in the plugin’s custom table column renderer.

Relevant code on main (bf96eac, same commit as origin/main at the time of review):

  • netbox_data_flows/models/objectaliases.py
    • ObjectAlias.name is user-controlled (CharField)
    • ObjectAlias.__str__() returns self.name directly
  • netbox_data_flows/tables/dataflows.py
    • DataFlowTable.sources and DataFlowTable.destinations use ObjectAliasListColumn
  • netbox_data_flows/tables/columns.py
    • ObjectAliasListColumn.render() calls object_list_to_string(value.all(), linkify=True)
  • netbox_data_flows/utils/helpers.py
    • object_list_to_string() builds raw anchor tags with:
      mark_safe(separator.join(f'<a href="{o.get_absolute_url()}">{o}</a>' for o in objects))
      

The alias text ({o}) is inserted into HTML without escaping, then the whole string is marked safe. Because ObjectAlias.__str__() returns the user-supplied name, HTML/JS in the alias name is executed in the victim’s browser.

This affects any page rendering DataFlowTable, including at least:

  • the main Data Flow list page
  • model tabs that reuse DataFlowTable

PoC

Environment:

  • NetBox with netbox-data-flows installed
  • No special plugin configuration required

Steps:

  1. Log in as a user with permission to create or edit ObjectAlias and DataFlow.
  2. Create a new ObjectAlias with the following name:
    <img src=x onerror=alert(document.domain)>
    
  3. Create or edit a DataFlow so this alias is present in either sources or destinations.
  4. Log in as another user and open the Data Flow list page in the plugin UI.
  5. The JavaScript executes when the table renders the alias list.

A simple path to trigger is the Data Flow list page. Any other page that renders DataFlowTable should also be tested.

Impact

This is a stored cross-site scripting vulnerability.

Impacted users:

  • any authenticated user who can view a page rendering the affected DataFlow table
  • especially higher-privileged NetBox users, because an attacker with lower privileges may target them by planting a malicious alias name

Possible impact:

  • session theft
  • execution of privileged actions in the victim’s session
  • exfiltration of data visible to the victim in NetBox

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

GHSA-V7QW-HX66-4W9X has a CVSS score of 8.7 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.5.1); upgrading removes the vulnerable code path.

Affected versions

netbox-data-flows (<= 1.5.0)

Security releases

netbox-data-flows → 1.5.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade netbox-data-flows to 1.5.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-V7QW-HX66-4W9X? GHSA-V7QW-HX66-4W9X is a high-severity cross-site scripting (XSS) vulnerability in netbox-data-flows (pip), affecting versions <= 1.5.0. It is fixed in 1.5.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is GHSA-V7QW-HX66-4W9X? GHSA-V7QW-HX66-4W9X has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of netbox-data-flows are affected by GHSA-V7QW-HX66-4W9X? netbox-data-flows (pip) versions <= 1.5.0 is affected.
  4. Is there a fix for GHSA-V7QW-HX66-4W9X? Yes. GHSA-V7QW-HX66-4W9X is fixed in 1.5.1. Upgrade to this version or later.
  5. Is GHSA-V7QW-HX66-4W9X exploitable, and should I be worried? Whether GHSA-V7QW-HX66-4W9X is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-V7QW-HX66-4W9X is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-V7QW-HX66-4W9X? Upgrade netbox-data-flows to 1.5.1 or later.

Other vulnerabilities in netbox-data-flows

Stop the waste.
Protect your environment with Kodem.