CVE-2023-47115: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in HumanSignal label-studio
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
AI Analysis
Technical Summary
CVE-2023-47115 is a high-severity cross-site scripting (XSS) vulnerability affecting HumanSignal's open-source data labeling tool, Label Studio, in versions prior to 1.9.2. The vulnerability arises from improper input neutralization during web page generation, specifically in the handling of user-uploaded avatar images. An authenticated user can upload a crafted image file containing malicious HTML/JavaScript code disguised as an image. The vulnerability stems from insufficient server-side validation: the application only verifies the file as an image by extracting its dimensions, but does not enforce strict file extension validation on the server side. Instead, file extension checks are performed client-side, which attackers can bypass. Furthermore, Label Studio uses Django's built-in 'serve' view to deliver avatar images. This view determines the Content-Type header based on the file extension in the URL path, not the actual file content. Consequently, if an attacker uploads a file with a '.html' extension containing malicious JavaScript, the server serves it as an HTML page, enabling script execution in the context of the victim's browser. This XSS can be exploited when a user, including administrators, views the crafted avatar image. For example, an attacker could inject JavaScript that creates a new Django super administrator account if a Django admin visits the malicious avatar. This elevates the risk from a typical XSS to a potential full compromise of the Label Studio instance. The vulnerability is fixed in version 1.9.2. Recommended mitigations include enforcing server-side validation of file extensions, replacing Django's 'serve' view with a secure controller for serving uploaded avatars, storing uploaded files in a database rather than the filesystem to reduce file-related risks, and generally avoiding trust in user-controlled inputs. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Label Studio versions prior to 1.9.2, this vulnerability poses a significant risk. Successful exploitation can lead to arbitrary JavaScript execution in the context of authenticated users, including administrators. This can result in unauthorized privilege escalation, data manipulation, and potential full system compromise. Given Label Studio's role in data labeling, often used in machine learning workflows, compromise could lead to data integrity issues, leakage of sensitive datasets, or sabotage of AI training processes. The impact extends beyond confidentiality to integrity and availability, as attackers could inject malicious code to alter or delete data or disrupt operations. Organizations in sectors such as finance, healthcare, automotive, and research using Label Studio for sensitive data annotation are particularly at risk. The requirement for authentication and user interaction (visiting the malicious avatar) somewhat limits exploitation scope but does not eliminate risk, especially in environments with multiple users and administrators. The vulnerability's high CVSS score (7.1) reflects these risks. Additionally, the use of Django's insecure 'serve' view in production environments is a common misconfiguration that may be prevalent in European deployments, increasing exposure.
Mitigation Recommendations
1. Upgrade Label Studio to version 1.9.2 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict server-side validation of uploaded file extensions and MIME types, rejecting any files that do not conform to expected safe image formats (e.g., .png, .jpg, .jpeg, .gif). 3. Replace Django's built-in 'serve' view with a secure, custom controller that explicitly sets Content-Type headers based on verified file content rather than file extension, preventing HTML rendering of uploaded files. 4. Consider storing uploaded avatar images in a database or object storage with controlled access rather than directly on the filesystem to reduce file-related attack vectors. 5. Conduct regular security audits of file upload functionalities and ensure client-side validations are complemented by robust server-side checks. 6. Educate users and administrators about the risks of clicking on suspicious avatar images or links within the platform. 7. Monitor logs for unusual avatar upload patterns or access to avatar URLs with unexpected file extensions. 8. If upgrading immediately is not feasible, implement web application firewall (WAF) rules to detect and block requests serving avatar images with '.html' or other suspicious extensions. 9. Review and harden Django configurations to avoid using development-only features like 'serve' in production environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium
CVE-2023-47115: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in HumanSignal label-studio
Description
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image. The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed. Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
AI-Powered Analysis
Technical Analysis
CVE-2023-47115 is a high-severity cross-site scripting (XSS) vulnerability affecting HumanSignal's open-source data labeling tool, Label Studio, in versions prior to 1.9.2. The vulnerability arises from improper input neutralization during web page generation, specifically in the handling of user-uploaded avatar images. An authenticated user can upload a crafted image file containing malicious HTML/JavaScript code disguised as an image. The vulnerability stems from insufficient server-side validation: the application only verifies the file as an image by extracting its dimensions, but does not enforce strict file extension validation on the server side. Instead, file extension checks are performed client-side, which attackers can bypass. Furthermore, Label Studio uses Django's built-in 'serve' view to deliver avatar images. This view determines the Content-Type header based on the file extension in the URL path, not the actual file content. Consequently, if an attacker uploads a file with a '.html' extension containing malicious JavaScript, the server serves it as an HTML page, enabling script execution in the context of the victim's browser. This XSS can be exploited when a user, including administrators, views the crafted avatar image. For example, an attacker could inject JavaScript that creates a new Django super administrator account if a Django admin visits the malicious avatar. This elevates the risk from a typical XSS to a potential full compromise of the Label Studio instance. The vulnerability is fixed in version 1.9.2. Recommended mitigations include enforcing server-side validation of file extensions, replacing Django's 'serve' view with a secure controller for serving uploaded avatars, storing uploaded files in a database rather than the filesystem to reduce file-related risks, and generally avoiding trust in user-controlled inputs. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using Label Studio versions prior to 1.9.2, this vulnerability poses a significant risk. Successful exploitation can lead to arbitrary JavaScript execution in the context of authenticated users, including administrators. This can result in unauthorized privilege escalation, data manipulation, and potential full system compromise. Given Label Studio's role in data labeling, often used in machine learning workflows, compromise could lead to data integrity issues, leakage of sensitive datasets, or sabotage of AI training processes. The impact extends beyond confidentiality to integrity and availability, as attackers could inject malicious code to alter or delete data or disrupt operations. Organizations in sectors such as finance, healthcare, automotive, and research using Label Studio for sensitive data annotation are particularly at risk. The requirement for authentication and user interaction (visiting the malicious avatar) somewhat limits exploitation scope but does not eliminate risk, especially in environments with multiple users and administrators. The vulnerability's high CVSS score (7.1) reflects these risks. Additionally, the use of Django's insecure 'serve' view in production environments is a common misconfiguration that may be prevalent in European deployments, increasing exposure.
Mitigation Recommendations
1. Upgrade Label Studio to version 1.9.2 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict server-side validation of uploaded file extensions and MIME types, rejecting any files that do not conform to expected safe image formats (e.g., .png, .jpg, .jpeg, .gif). 3. Replace Django's built-in 'serve' view with a secure, custom controller that explicitly sets Content-Type headers based on verified file content rather than file extension, preventing HTML rendering of uploaded files. 4. Consider storing uploaded avatar images in a database or object storage with controlled access rather than directly on the filesystem to reduce file-related attack vectors. 5. Conduct regular security audits of file upload functionalities and ensure client-side validations are complemented by robust server-side checks. 6. Educate users and administrators about the risks of clicking on suspicious avatar images or links within the platform. 7. Monitor logs for unusual avatar upload patterns or access to avatar URLs with unexpected file extensions. 8. If upgrading immediately is not feasible, implement web application firewall (WAF) rules to detect and block requests serving avatar images with '.html' or other suspicious extensions. 9. Review and harden Django configurations to avoid using development-only features like 'serve' in production environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2023-10-30T19:57:51.674Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6839c098182aa0cae2b3b6d1
Added to database: 5/30/2025, 2:28:40 PM
Last enriched: 7/8/2025, 7:26:34 PM
Last updated: 7/26/2025, 4:53:31 AM
Views: 8
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.