Subdomain Takeover of in jgraph/


Reported on

May 22nd 2022

First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable.

I found a subdomain of that was previously connected to but it was changed to

To takeover the vulnerable subdomain, I just created a github repo and claimed the


The vulnerable subdomain is, malicious actor could use it to host malicious resources such as fake or phishing pages.

We are processing your report and will contact the jgraph/ team within 24 hours. a year ago
David Benson modified the Severity from High (7.5) to Medium (5.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a year ago
Aj Dumanhug has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 1.0.0 with commit 166baf a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Benson
a year ago


Thanks for the report, DNS entry removed.

Aj Dumanhug
a year ago


You're welcome!

to join this conversation