CVE-2019–8400: Reflected XSS in ORY Hydra

Sudhanshu Rajbhar
2 min readApr 10, 2019

Heyy Everyonee,hope you all are doing good.

I am back with another blog, probably you’re wondering that this blog is also going to be about xss, well you’re right.But I got something great along with the bounty this time which really means a lot to me a CVE was assigned for it.



Version affected: < v1.0.0-rc.3


Short Story…

Few months back I found a xss in one of Zomato’s website, after reporting it I came to know that the problem was in ORY Hydra, a service which Zomato was using for authentication on one of their services.You can get the whole story here: link.

Let’s move to POC

Just take an example this is the url:

Make some changes in the redirect_uri parameter value, and you will be redirected to an Error page.

Default error page of ORY Hydra

As you can see parameters value is getting reflected in the source code.

Just by using the payload <marquee loop%3d1 width%3d0 onfinish%3dco\u006efirm(document.cookie)>XSS<%2fmarquee> in any of the available parameter.You can get the xss popup.

It was fixed just within few hours by the maintainers of ORY Hydra.


Just by upgrading to the latest version ORY Hydra and setting up a custom error reporting endpoint can solve this problem.