Bug#1118145: gi-docgen: CVE-2025-11687: cross-site scripting in search.js
Simon McVittie
smcv at debian.org
Wed Oct 15 11:22:06 BST 2025
Package: gi-docgen
Version: 2025.4-1
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Forwarded: https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
Control: close -1 2025.5-1
As noted in the security tracker, a cross-site scripting vulnerability
was reported in gi-docgen. I've uploaded the fixed version to unstable
already.
If I'm understanding correctly, the exploit route would be:
1. a library developer builds API documentation using gi-docgen
2. they host it on a web server that is accessible by the victim
3. there is something else hosted on the same web server (same origin)
that is not public information, or that is editable by the victim
4. the attacker makes the victim follow a link to a crafted search query
5. the cross-site scripting vulnerability results in attacker-chosen
JavaScript running in the victim's browser in the context of the
website, which can be used to leak non-public information or carry
out edits, depending on the scope of (3.)
How serious does the security team consider this to be? My suggestion
would be to treat it as a minor vulnerability that can be fixed via
proposed-updates.
The JavaScript file that contains the vulnerability (search.js) gets
copied into documentation packages such as libportal-doc, so if someone
uploaded these documentation packages to a public web server, it would
be vulnerable to cross-site scripting. This seems somewhat unlikely in
practice, so I don't think it is necessary to do a mass rebuild of
libraries like src:libportal that have gi-docgen-generated
documentation, either in testing/unstable or in (old)stable. Does the
security team agree?
smcv
More information about the pkg-gnome-maintainers
mailing list