Subdomain Takeover of in jgraph/


Reported on

May 22nd 2022

First of all, I apologize for reporting it here because I noticed that they have a program with huntr but only for DrawIO source code. Since I discovered this vulnerability I decided to ethically disclose it here instead of leaving it vulnerable.

I found a subdomain of that was previously connected to but it was changed to

To takeover the vulnerable subdomain, I just created a github repo and claimed the


The vulnerable subdomain is, malicious actor could use it to host malicious resources such as fake or phishing pages.

We are processing your report and will contact the jgraph/ team within 24 hours. a month ago
David Benson modified the Severity from High (7.5) to Medium (5.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a month ago
Aj Dumanhug has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 166baf a month ago
The fix bounty has been dropped
David Benson
a month ago


Thanks for the report, DNS entry removed.

Aj Dumanhug
a month ago


You're welcome!

to join this conversation