Cyber Resilience

CVE-2024-29882

HighPublic PoC

Published: 28 March 2024

Published
28 March 2024
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0770 92.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29882 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ossrs Simple Realtime Server. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

SRS is a simple high-efficiency real-time video server that contains a reflected cross-site scripting flaw in the /api/v1/vhosts/vid-<id>?callback=<payload> endpoint. The endpoint accepted an unfiltered callback parameter, allowing an attacker to supply an arbitrary JavaScript payload that would be executed by any client rendering the API response. The issue is tracked as CWE-79 and was present in all releases before the fixes shipped in versions 5.0.210 and 6.0.121.

An unauthenticated remote attacker can send a crafted HTTP request containing a malicious callback value. Because the CVSS vector shows network access, low complexity, and no required credentials or user interaction, the attacker can cause the injected script to run in the browser of any user who visits a page that includes the API response, resulting in limited confidentiality and integrity impacts within the affected origin.

The project addressed the flaw in commit 244ce7bc013a0b805274a65132a2980680ba6b9d and published the details in GitHub Security Advisory GHSA-gv9r-qcjc-5hj7, confirming that the parameter is now sanitized and recommending that deployments upgrade to the patched releases. The associated EPSS score has remained flat at 0.0770 with no material increase since disclosure.

EU & UK References

Vulnerability details

SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ossrs
simple realtime server
≤ 5.0.210 · 6.0.0 — 6.0.121

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References