Cross-Site Request Forgery (CSRF) in yourls/yourls


Reported on

Dec 24th 2021


  1. Hi there YOURLS team, I would like to report a Cross Site Request forgery vulenrability on YOURLS. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
  2. In case of YOURLS, this CSRF allows a hacker to trick user to logout of yourls.

Proof of Concept

  1. Install a local instace of YOURLS
  2. Access this link: admin/index.php?action=logout
  3. See that you are logged out of yourls.
  4. In the real attack scenario, the hacker would feed this URL to the targeted user, and when they click the links, they are automatically logged out of YOURLS


This vulnerability is capable of CSRF.

We are processing your report and will contact the yourls team within 24 hours. 2 years ago
We have contacted a member of the yourls team and are waiting to hear back 2 years ago
྅༻ Ǭɀħ ༄༆ཉ
2 years ago


Yeah, indeed. Thanks for reporting. I've filed an issue as a reminder and will check this after the holidays

2 years ago


HI there, thank you for your response. Would you mind validating this report?

We have sent a follow up to the yourls team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the yourls team. We will try again in 10 days. 2 years ago
yourls/yourls maintainer validated this vulnerability 2 years ago
ComradeKtg has been awarded the disclosure bounty
The fix bounty is now up for grabs
྅༻ Ǭɀħ ༄༆ཉ marked this as fixed in 1.8.3 with commit 1de256 2 years ago
྅༻ Ǭɀħ ༄༆ཉ has been awarded the fix bounty
This vulnerability will not receive a CVE
admin-ajax.php#L43 has been validated
྅༻ Ǭɀħ ༄༆ཉ
2 years ago


Note that it's the 3rd or 4th time I have been "awared the fix bounty" and I have not yet been actually awarded something... :)

to join this conversation