What happened:
There is a severe DOM-based Cross-Site Scripting (XSS) vulnerability in the Besu benchmarks dashboard.
In besu-benchmarks/dashboard/js/app.js, the application dynamically constructs HTML strings using data fetched from index.json and trends.json and injects them directly into the DOM using innerHTML. This is done without any prior escaping or sanitization.
Multiple fields are vulnerable to this injection, including:
latestRun.besu_ref in the hero section (Line 96).r.name, r.unit, and r.curr_ref in the regression alerts (Line 120).c (category) and d.best.name in the category cards (Line 140).b.name in the benchmark table (Line 254), which also breaks out into onclick inline handlers.r.besu_ref and r.filename in the run history (Line 462).
Because these values often originate from external CI/CD environments and git metadata (such as branch names, commit messages, or benchmark test names), an attacker who can push a crafted branch name (e.g., <img src=x onerror=alert(1)>) or modify a benchmark name will be able to execute arbitrary JavaScript in the browser of anyone viewing the dashboard.
What you expected to happen:
Dynamic user-controlled or external data should never be passed directly to innerHTML.
The application should either:
- Use safe DOM manipulation properties like
textContent or innerText when inserting plain text.
- Build DOM elements dynamically using
document.createElement().
- If HTML string interpolation is absolutely necessary, use a robust sanitization library like
DOMPurify before assigning the string to innerHTML.
How to reproduce it (as minimally and precisely as possible):
- Navigate to the
besu-benchmarks/dashboard/data directory.
- Edit the
index.json file and inject a standard XSS payload into the besu_ref of the latest run:
"runs": [
{
"besu_ref": "<img src=x onerror=alert('XSS_Execution_Successful')>",
"besu_sha": "abcdef123456",
"timestamp": "2026-05-09T10:00:00Z"
}
]
- Start the local server if not already running (
python3 -m http.server 8000).
- Load the dashboard in your web browser.
- Observe that the JavaScript alert is triggered immediately upon page load, confirming the XSS vulnerability.
Anything else we need to know?:
This represents a high risk for dashboards connected to automated pipelines, as a compromised pull request or malicious branch name could be used to attack repository maintainers reviewing the performance metrics.
The vulnerability in the benchmark table (b.name) is particularly dangerous because it's injected directly into an onclick handler (onclick="openTrend('${b.name}')"), allowing an attacker to easily escape the string context if single quotes are used in the payload.
Environment:
Component: besu-benchmarks (Dashboard)
Browser: All modern browsers
Others: Bug is located throughout besu-benchmarks/dashboard/js/app.js
What happened:
There is a severe DOM-based Cross-Site Scripting (XSS) vulnerability in the Besu benchmarks dashboard.
In
besu-benchmarks/dashboard/js/app.js, the application dynamically constructs HTML strings using data fetched fromindex.jsonandtrends.jsonand injects them directly into the DOM usinginnerHTML. This is done without any prior escaping or sanitization.Multiple fields are vulnerable to this injection, including:
latestRun.besu_refin the hero section (Line 96).r.name,r.unit, andr.curr_refin the regression alerts (Line 120).c(category) andd.best.namein the category cards (Line 140).b.namein the benchmark table (Line 254), which also breaks out intoonclickinline handlers.r.besu_refandr.filenamein the run history (Line 462).Because these values often originate from external CI/CD environments and git metadata (such as branch names, commit messages, or benchmark test names), an attacker who can push a crafted branch name (e.g.,
<img src=x onerror=alert(1)>) or modify a benchmark name will be able to execute arbitrary JavaScript in the browser of anyone viewing the dashboard.What you expected to happen:
Dynamic user-controlled or external data should never be passed directly to
innerHTML.The application should either:
textContentorinnerTextwhen inserting plain text.document.createElement().DOMPurifybefore assigning the string toinnerHTML.How to reproduce it (as minimally and precisely as possible):
besu-benchmarks/dashboard/datadirectory.index.jsonfile and inject a standard XSS payload into thebesu_refof the latest run:python3 -m http.server 8000).Anything else we need to know?:
This represents a high risk for dashboards connected to automated pipelines, as a compromised pull request or malicious branch name could be used to attack repository maintainers reviewing the performance metrics.
The vulnerability in the benchmark table (
b.name) is particularly dangerous because it's injected directly into anonclickhandler (onclick="openTrend('${b.name}')"), allowing an attacker to easily escape the string context if single quotes are used in the payload.Environment:
Component:
besu-benchmarks(Dashboard)Browser: All modern browsers
Others: Bug is located throughout
besu-benchmarks/dashboard/js/app.js