GHSA-3mjm-x6gw-2x42: @grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers
Summary
The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.
Solution / Mitigation
Update to version 0.70.4, which adds security headers to all responses. The fix adds these headers to the server code: Content-Security-Policy set to "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:", X-Frame-Options set to "DENY", and X-Content-Type-Options set to "nosniff". Alternatively, use a reverse proxy (nginx or Caddy) in front of the Grackle server to inject these security headers.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-3mjm-x6gw-2x42
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%