Stored XSS in /store endpoint (CVE-2025-70849)

[wpwilson10]

The /store handler in pkg/api/http/store.go doesn't set a Content-Type header, so Go sniffs HTML payloads and serves them as text/html. This allows stored XSS.

Ref: https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea

[matheuscscp]

Real-World Impact This vulnerability is particularly dangerous when podinfo is deployed on sensitive infrastructure. During research, multiple instances were found exposed on high-trust domains Note: they already fixed those bugs. Attackers can use these trusted subdomains to host malicious phishing pages or steal administrative credentials from cluster operators.

Why would anyone deploy podinfo in a prod env? I guess AI makes us time for everything

[wpwilson10]

Read world impact for me was that my internal work demo environment got flagged and quarantined by our security tools.

[stefanprodan]

This was fixed in https://github.com/stefanprodan/podinfo/releases/tag/6.11.1 no idea when scanners would update.