Weights and Biases OpenUI Cross-Site Scripting Vulnerability in Window Message Event Handler

A stored cross-site scripting (XSS) vulnerability has been identified in Weights and Biases OpenUI versions through 1.0. The issue resides in the Window Message Event Handler component, specifically within the file frontend/public/annotator/index.html. This vulnerability allows for the injection of unsanitized HTML and JavaScript from a language model (LLM) response, which is rendered in a sandboxed iframe. The iframe's configuration permits scripts to access the parent document's cookies and local storage, potentially leading to session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows injected scripts to access parent.document.cookie, facilitating the theft of session tokens for account takeover. Additionally, the scripts can read from parent.localStorage and sessionStorage, exposing cached application state, API keys, or conversation history. The iframe content can be manipulated to create phishing scenarios, such as impersonating a login form to collect credentials. Furthermore, the vulnerability allows for a persistent compromise, as malicious scripts are executed each time the user revisits the generated UI.

Reproduction

To reproduce this vulnerability, first, set up a malicious server that can return LLM-generated responses containing HTML and JavaScript payloads, including script tags. Once the server is running, configure the OpenUI instance to use this server as the LLM provider by setting the OPENAI_BASE_URL environment variable. After this configuration, navigate to the OpenUI application and generate a new UI component. The injected script will execute immediately, demonstrating the cross-site scripting vulnerability.