Improper Access Control in Crabtyper API in brancobruyneel/crabtyper


Reported on

Jun 16th 2022


The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets.

This is due to insufficient access control being implemented in the API.

Proof of Concept

Create a language:

$ curl -X POST -H "Content-Type: application/json" -d "{\"name\":\"example\"}"

Delete a snippet:

$ curl -X DELETE

These are just two examples, snippets can also be created in a similar way.


This vulnerability is capable of displaying arbitrary text data to all users and preventing the service from operating by deleting all snippets.

We are processing your report and will contact the brancobruyneel/crabtyper team within 24 hours. a year ago
a year ago


Update: looks like someone has already exploited this - needs to be fixed ASAP!

We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the brancobruyneel/crabtyper team and are waiting to hear back a year ago
brancobruyneel validated this vulnerability a year ago
William Henderson has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
brancobruyneel marked this as fixed in 0.1.0 with commit 5022f4 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation