{"data":{"id":"94c401ef-3f6f-4c40-9db7-a31f0f3f0b2f","title":"GHSA-3mjm-x6gw-2x42: @grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers","summary":"The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.","solution":"Update to version 0.70.4, which adds security headers to all responses. The fix adds these headers to the server code: Content-Security-Policy set to \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:\", X-Frame-Options set to \"DENY\", and X-Content-Type-Options set to \"nosniff\". Alternatively, use a reverse proxy (nginx or Caddy) in front of the Grackle server to inject these security headers.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-3mjm-x6gw-2x42","publishedAt":"2026-03-25T17:32:04.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["@grackle-ai/server@<= 0.70.3 (fixed: 0.70.4)"],"affectedVendors":[],"affectedVendorsRaw":["Grackle AI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-03-25T17:32:04.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}