Cross-Site Request Forgery (CSRF) in convos-chat/convos


Reported on

Dec 11th 2021


An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />


This vulnerability is capable of forging users to unintentional logout.

More Detail

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.


While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the convos-chat/convos team within 24 hours. 2 years ago
Devendra Bhatla
2 years ago


@admin Please contact on to the maintainer.

We created a GitHub Issue asking the maintainers to create a 2 years ago
Jamie Slome
2 years ago


@dev696 - I have commented on the GitHub Issue! I have shared the report URL with them if they want to view the report directly. Otherwise, once they have added an e-mail to the, they will receive a magic link to access the page.

Devendra Bhatla
2 years ago


@Jamie, I believe we can considered the shared email "" You can share all the details as this is the main contact. Also the URL is private and cannot be viewed. Thanks for your support as always.

We have contacted a member of the convos-chat/convos team and are waiting to hear back 2 years ago
Jamie Slome
2 years ago


Sorted! ūüéä

A convos-chat/convos maintainer validated this vulnerability 2 years ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
A convos-chat/convos maintainer marked this as fixed in 6.40 with commit a2d265 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ChatSidebar.svelte#L233 has been validated
A convos-chat/convos maintainer
2 years ago


Thanks for reporting this through e-mail, instead of posting it online before having a chance to fix it.

I did consider this a minor issue. I think even bigger sites like Google also does not protect the /logout endpoint. Nevertheless, the fix was simple to add, so why not? :)

2 years ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself.

Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The convos' s users will be shocked if they know that their app has a High vulnerability with the impact is just logging out a user with no affected on the account, just an annoyance!

to join this conversation