📄 Description (English)
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.
🤖 AI Executive Summary
Homarr versions prior to 1.57.0 contain a DOM-based XSS vulnerability in the /auth/login page where the callbackUrl parameter is improperly validated, allowing attackers to execute arbitrary JavaScript in authenticated users' browsers. This could enable credential theft, session hijacking, and lateral movement within organizational networks. The vulnerability has known exploits available and requires immediate patching to version 1.57.0 or later.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 05:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Homarr as an internal dashboard—particularly in Banking (SAMA-regulated institutions), Government agencies (NCA oversight), Healthcare facilities, and Energy sector (ARAMCO and subsidiaries)—face significant risk. Authenticated users could be tricked into clicking malicious links, leading to credential compromise, unauthorized access to sensitive dashboards, and potential lateral movement to critical systems. The vulnerability is particularly dangerous in environments where Homarr serves as a centralized monitoring or administrative interface for critical infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Facilities
Energy and Utilities
Telecommunications
Critical Infrastructure
Education and Research
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade Homarr to version 1.57.0 or later immediately—this is a critical security update
2. Review access logs for the /auth/login endpoint to identify any suspicious callbackUrl parameters or unusual redirect patterns
3. Force re-authentication of all users and invalidate existing sessions as a precautionary measure
4. Notify users not to click on external links directing them to your Homarr login page
COMPENSATING CONTROLS (if upgrade is delayed):
1. Implement Web Application Firewall (WAF) rules to block requests containing suspicious callbackUrl parameters (e.g., those containing 'javascript:', 'data:', or external domains)
2. Deploy Content Security Policy (CSP) headers with strict directives: default-src 'self'; script-src 'self'; frame-ancestors 'none'
3. Enable HTTP-only and Secure flags on all session cookies
4. Implement input validation on the client-side to reject callbackUrl parameters that don't match your domain whitelist
DETECTION RULES:
1. Monitor for POST/GET requests to /auth/login with callbackUrl parameters containing encoded characters or suspicious domains
2. Alert on any JavaScript execution attempts originating from the login page
3. Track unusual redirect patterns or cross-domain navigation from authenticated sessions
4. Log and alert on any XSS-related WAF blocks
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بترقية Homarr إلى الإصدار 1.57.0 أو أحدث على الفور - هذا تحديث أمني حرج
2. راجع سجلات الوصول لنقطة نهاية /auth/login لتحديد أي معاملات callbackUrl مريبة أو أنماط إعادة توجيه غير عادية
3. فرض إعادة المصادقة لجميع المستخدمين وإلغاء الجلسات الموجودة كإجراء احترازي
4. أخبر المستخدمين بعدم النقر على الروابط الخارجية التي توجههم إلى صفحة تسجيل الدخول الخاصة بك
الضوابط التعويضية (إذا تأخر التحديث):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على معاملات callbackUrl مريبة (مثل تلك التي تحتوي على 'javascript:' أو 'data:' أو نطاقات خارجية)
2. نشر رؤوس سياسة أمان المحتوى (CSP) مع توجيهات صارمة: default-src 'self'; script-src 'self'; frame-ancestors 'none'
3. تفعيل أعلام HTTP-only و Secure على جميع ملفات تعريف الارتباط للجلسة
4. تنفيذ التحقق من الإدخال على جانب العميل لرفض معاملات callbackUrl التي لا تطابق قائمة النطاقات البيضاء الخاصة بك
قواعد الكشف:
1. مراقبة طلبات POST/GET إلى /auth/login مع معاملات callbackUrl تحتوي على أحرف مشفرة أو نطاقات مريبة
2. تنبيه محاولات تنفيذ JavaScript التي تنشأ من صفحة تسجيل الدخول
3. تتبع أنماط إعادة التوجيه غير العادية أو الملاحة عبر النطاقات من الجلسات المصرح بها
4. تسجيل والتنبيه على أي كتل WAF المتعلقة بـ XSS
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.5.23 - Web application security controls
ECC 2024 A.6.14 - Secure development and change management
🔵 SAMA CSF
SAMA CSF ID.BE-3.1 - Organizational resilience and risk management
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.DS-2 - Data security and protection
SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activities
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.5.16 - Authentication
ISO 27001:2022 A.8.22 - Web application security
ISO 27001:2022 A.8.24 - Protection against malware
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention
PCI DSS 6.2 - Security patches and updates
🔗 References & Sources 2
📦 Affected Products / CPE 1 entries
homarr:homarr