CVE-2025-64716: 
vulnerability analysis and mitigation

CVE-2025-64716 is a security vulnerability discovered in Anubis affecting versions prior to 1.23.0. The vulnerability was disclosed on October 30, 2025, and involves a possible XSS (Cross-Site Scripting) attack vector via the redir parameter when using subrequest authentication mode. The issue affects both the Docker package (ghcr.io/techarohq/anubis) and Go module (github.com/TecharoHQ/anubis) (GitHub Advisory).

The vulnerability stems from insufficient validation of redirect URLs in subrequest authentication mode. When processing redirects, the application fails to properly validate the URL scheme, allowing redirects to potentially dangerous URL schemes. The issue has been assigned a Low severity rating with a CVSS v3.1 base score indicating Network attack vector, Low attack complexity, and No privileges required. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-601 (URL Redirection to Untrusted Site) (GitHub Advisory).

While the impact is considered Low severity, the vulnerability could allow attackers to trigger dangerous behavior in certain cases. Although most modern browsers block javascript: URL redirects, the vulnerability could still be exploited using custom protocols for third-party applications, potentially triggering unauthorized operations. Any installation using subrequest authentication is potentially affected (GitHub Advisory).

The vulnerability has been patched in version 1.23.0 of Anubis. The fix includes additional validation of URL schemes and improved security checks for redirect URLs. Users are strongly recommended to upgrade to version 1.23.0 or later to address this security issue (GitHub Commit).

The vulnerability was initially reported by security researchers @mbiesiad and @nijel. It was noted that there was a delay in addressing the issue, which was acknowledged by the maintainers with an apology for the delayed response (GitHub Advisory).