Octocat.js vulnerable to code injection

Impact

Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.

Patches

This vulnerability was fixed in version 1.2 of octocat.js

Workarounds

Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.

References

To render the file correctly, see documentation at readme.md

For more information

If you have any questions or comments about this advisory:

• Open an issue in the octo.js repository