Cross-Site Request Forgery (CSRF) in janeczku/calibre-web


Reported on

Dec 17th 2021


CSRF on various endpoints


Pretty recently CSRF protection in calibre-web was implemented. However, there are some state-changing endpoints that accept GET requests instead of POST.

The most impactful route so far, that allows to completely shutdown the server:

def shutdown():
    task = int(request.args.get("parameter").strip())
    showtext = {}
    if task in (0, 1):  # valid commandos received
        # close all database connections

        if task == 0:
            showtext['text'] = _(u'Server restarted, please reload page')
            showtext['text'] = _(u'Performing shutdown of server, please close window')
        # stop gevent/tornado server
        web_server.stop(task == 0)
        return json.dumps(showtext)

    if task == 2:
        log.warning("reconnecting to calibre database")
        calibre_db.reconnect_db(config, ub.app_DB_path)
        showtext['text'] = _(u'Reconnect successful')
        return json.dumps(showtext)`

And a bunch of low-impact CSRFs:

- Add a book to the shelf


- Delete a shelf:


And so on, actually this file has plenty of endpoints without protection.

Proof of Concept

I'm leaving a PoC only for the first example as all payloads are almost the same:

// PoC.html
<form action="" method="GET">
<input type="hidden" name="parameter" value="1"/>
<input type="submit" value="Shutdown"/>

Possible remediation

All requests that somehow change server/db state must be queried using POST method.


This vulnerability is capable of performing malicious actions in case victim visits attacker's website.


I'm not sure that I found all vulnerable endpoints, so it's better to check all existing routes that allow to use GET.


Here I simply leave the whole file as it has lots of vulnerable endpoints

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 5 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 5 months ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 5 months ago
janeczku validated this vulnerability 5 months ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
4 months ago


Could you please review this report as well?

janeczku confirmed that a fix has been merged on 785726 4 months ago
The fix bounty has been dropped has been validated has been validated
to join this conversation