HN Reader

This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

This is a pretty scary exploit, considering how easily it could be abused.

Imagine just one link in a tweet, support ticket, or email: https://discord.com/_mintlify/static/evil/exploit.svg. If you click it, JavaScript runs on the discord.com origin.

Here's what could happen:

- Your Discord session cookies and token could be stolen, leading to a complete account takeover.

- read/write your developer applications & webhooks, allowing them to add or modify bots, reset secrets, and push malicious updates to millions.

- access any Discord API endpoint as you, meaning they could join or delete servers, DM friends, or even buy Nitro with your saved payment info.

- maybe even harvest OAuth tokens from sites that use "Login with Disord."

Given the potential damage, the $4,000 bounty feels like a slap in the face.

edit: just noticed how HN just turned this into a clickable link - this makes it even scarier!

How these companies don't hire kids like Daniel for pennies on the dollar and have him attack their stacks on a loop baffles me. Pay the kid $50k/yr (part time, he still needs to go to school) to constantly probe your crappy stacks. Within a year or two you'll have the most goddamn secure company on the internet - and no public vulns to embarrass you.

Nice discovery and writeup. Let alone for a 16 yo!.

I've never heard an XSS vulnerability described as a supply-chain attack before though, usually that one is reserved for package managers malicious scripts or companies putting backdoors in hardware.

The fact that SVG files can contain scripts was a bit of a mistake. On one hand, the animations and entire interactive demos and even games in a single SVG are cool. But on the other hand, it opens up a serious can of worms of security vulnerabilities. As a result, SVG files are often banned from various image upload tools, they do not unfurl previews, and so on. If you upload an SVG to discord, it just shows the raw code; and don't even think about sharing an SVG image via Facebook Messenger, Wechat, Google Hangouts, or whatever. In 2025, raster formats remain way more accessible and easily shared than SVGs.

This is very sad because SVGs often have way smaller file size, and obviously look much better at various scales. If only there was a widely used vector format that does not have any script support and can be easily shared.

Their collaborator's report includes a more significant issue, an RCE on a mintlify server: https://kibty.town/blog/mintlify/

Proxying from the "hot" domain (with user credentials) to a third party service is always going to be an awful idea. Why not just CNAME Mintlify to dev-docs.discord.com or something?

This is also why an `app.` or even better `tenant.` subdomain is always a good idea; it limits the blast radius of mistakes like this.

decided to make a new account to post:

Mintlify security is the worse I have even encountered in a modern SaaS company.

They will leak your data, code, assets, etc. They will know they did this. You will tell them, they will acknowledge that they knew it happened, and didn't tell you.

Your docs site will go down, and you will need to page their engineers to tell them its down. This will be a surprise to them.

Seems like such a tiny amount of money for a bug that can be used to completely own your customers accounts. Also not much excuse for xss these days.

Ok, I’m never opening an svg ever again.

Found by a 16 year old, what a legend.

Given this (including the linked writeup on the mintlify RCE), after the React RCE, if think it should be pretty obvious that

1. content security policies should always be used to prevent such scripts (here they would prevent execution of scripts from the SVG)

2. The JavaScript ecosystem should be making ` --disallow-code-generation-from-strings` a default recommendation when running NodeJS on the server.

Vercel (and other nodejs as a service providers) should warn customers that don't use CSP and `--disallow-code-generation-from-strings` that their settings should be improved.

There are a bunch of other NodeJS flags that maybe you should look into too: https://sgued.fr/blog/react-rce/#node-js-mitigations

Interesting timing — we captured downstream exploitation of this exact attack surface.

  38 days after @hackermondev's disclosure, our automated OSINT harvester pulled 121 IOCs from OpenPhish/OTX:           
                                                                                                                        
  - 101 URLs for discord.flawing.top/blog/* (mimicking Discord's documentation structure)                               
  - 20 URLs for openopenbox301.vercel.app (phishing hosted ON Vercel)                                                   
                                                                                                                        
  The attackers read the same disclosures we do. They just build infrastructure instead of writing reports.             
                                                                                                                        
  Evidence (queryable):                                                                                                 
  curl "https://analytics.dugganusa.com/api/v1/search?q=discord.flawing.top"                                            
                                                                                                                        
  Full writeup with IOCs: https://www.dugganusa.com/post/mintlify-xss-downstream-exploitation-captured                  
                                                                                                                        
  STIX feed (free): https://analytics.dugganusa.com/api/v1/stix-feed

Slightly related, as someone who doesn’t engage in this type of work, I’m curious about the potential risks associated with discovering, testing, and searching for security bugs. While it’s undoubtedly positive that this individual ultimately became a responsible person and disclosed the information, what if they hadn’t? Furthermore, on Discord’s side, what if they were unaware of this person and encountered someone attempting to snoop on this information, mistakenly believing them to be up to no good? Has there been cases where the risk involved wasn’t justified by the relatively low $4k reward? Or any specific companies you wouldn’t want to do this with because of a past incident with them?

Not shocked given the following statement from Mintlify to a recruiter a few months ago:

"I'd rather hire a junior dev who knows the latest version of NextJS than a senior dev who is experienced with an earlier version."

This would be a forgivable remark, except the recruiter was aware of the shortsightedness, and likely attempted to coach the hiring manager...

at this point I feel like it'd be useful for web server default configurations to include something like

    if extension == .svg
       set-header Content-Security-Policy: script-src 'none'
    end

wouldn't that stop a browser from running scripts, even if the svg file is opened directly? having this be widespread would solve it wholesale.

The linked site https://heartbreak.ing/ explains that Mintlify disabled CORS, so that 3rd party sites can run code in your Mintlify-using environment (X, Vercel, etc).

The OP site says that .svg files can only run scripts if they are directly opened, not via <img> tags.

So how does the attack work?

Mintlify does look pretty, but between that and all the React exploits, I'll stick with good ol' static sites.

Kinda why I built ReallySimpleDocs [1]. Add Pages CMS [2] to it and you're set.

[1]: https://reallysimpledocs.com/

[2]: https://pagescms.org

>AI-powered documentation platform. You write your documentation as markdown and Mintlify turns it into a beautiful documentation platform

Why do you need AI for this? Aren't there tons of packages which do very similar things without AI?

This is a great example of why a Content-Security-Policy (CSP Header) should be considered mandatory for high risk sites. With it you can effectively tell the browser what JS is allowed to run, meaning that any JS injected via XSS won't work.

I suspect Coinbase and others already use CSP.

https://en.wikipedia.org/wiki/Content_Security_Policy

Cool. Makes me want to get into that — checking out sites for vulnerabilities. Very impressive for a 16 year old. Should definitely have been paid more.

I've been following the rise of SVG based attacks recently... It's not just hypothetical anymore... People are using SVG files to deliver full phishing pages and drive by downloads by hiding JavaScript in the markup

ALSO as someone who maintains a file upload pipeline I run every SVG through a sanitizer... Tools like DOMPurify remove scripts and enforce a safe subset of the spec... I even go as far as rasterizing user uploaded vectors to PNG when possible

HOWEVER the bigger issue is mental... Most folks treat SVG like a dumb image when browsers treat it like executable content... Until the platform changes that expectation there will always be an attack surface

I run an infosec firm and we have done attacks like this on my clients over and over and over in audits. I always say any bored teen could do most of what we do because most companies are moving too fast feature farming to have any time for responsible security hardening, and now I have yet another great citation.

Unfortunately a competitive rate agreed to in advance with a company before we do any pentesting is the only way we have ever been able to get paid fairly for this sort of work. Finding bugs in the wild as this researcher did often gets wildly underpaid relative to the potential impact of the bug, if they pay or take it seriously at all.

These companies should be ashamed paying out so little for this, and it is only a matter of time before they insult the wrong researcher who decides to pursue paths to maximum profit, or maximum damage, with a vuln like this.

Sounds like you pwned Mintlify!

It’s clear to me now that I need to set up my home machine the way I set up BYOD when I was contracting last. I need a separate account for all of my development.

I have a friend who at one point had five monitors and 2 computers (actually it might be 3) on his desk and maybe he’s the one doing it right. He keeps his personal stuff and his programming/work stuff completely separate.

fascinating! but this is not a supply-chain attack unless i'm misunderstanding

I really don't get the appeal to have everything om one top-level domain, especially completely separate or even external services. The scope of this would've been basically zero if they just put it on docs.discord.com.

Especially something like this, where they were reverse proxying a SaaS, seems extra stupid. It's more work to set up, adds an unnecessary dependency between services and you end up paying for all the internet traffic three times (even if not directly).

I struggle to understand the issue .. could someone help me out ?

Ok, you got "https://discord.com/_mintlify/_static/hackerone-a00f3c6c/lma..." to send a controlled payload

But regular users will never hit "https://discord.com/_mintlify/_static/hackerone-a00f3c6c/lma...", so they will never execute your script

I fail to understand how this can be exploited, by whom and in what conditions

Okay, seriously, can we just get one, just ONE document/image spec that doesn't let you embed scripts or remote content? What is with this constant need to put the same exactly vulnerability into EVERYTHING?! Just let me have a spec for completely static documents, jfc!

Btw, apart from Discord, you really should stop using the other ones (X, Vercel, Cursor...). Do yourself and the planet a favour :)

A lesson from this is that you shouldn't host third-party stuff in your own domain. Instead of placing it on docs.discord.com, place it on discord-docs.com.

$11k in bounties. Might have got more from the onion.

Damn, this is a good era to be in high school (or university) with a lot of free time. $4000 is a pretty good haul for a few hours of work poking at stuff.

> If you didn't know, you can embed JavaScript into an SVG file.

Oh yikes. I did not know.

It is clear that SVG should not support scripts and CSS in SVG files. Those who need them can simply create HTML with inline SVG tags and scripts. And SVG should contain only shapes, effects and transformations.

Or maybe we need a new image format, "SVG without scripts and CSS".

Link here is to gist , but on lobste.rs some one posted link to Eva's blog. And it with links to friends blogs, feel so much like old internet. I dont even know what I enjoyed more, reading technical side or discovering this dark forest.

They have more security incidents than you'd expect for a documentation company. There was another one just last month.

The collected bounty on this should have been so much higher than $14K :/

JFC bug bounty money is pathetic now. This would have destroyed this company's reputation, downstream effects for customer reputations and data.

Move fast and break things?

I have this feeling with almost all web tools I am required to use nowadays.

No trust.

this was very well-written and the moving parts were quite easy to understand.

simultaneously there are many opportunities throughout to harden one's app to avoid similar exploits.

- enormously awesome

- that bug bounty was insufficient (Fidelity?!?!)

Who ever invented the idea that you can embed Javasript to picture files?

could `Sec-Fetch-Dest: image` mitigate this?

every commit in every open source project should now go through an AI to see if it can detect anything nefarious. I'm sure there are ways to fool it but it makes it a lot easier for bad actors to get caught.

One of these days I'm gonna have to learn why cross-site scripting even matters, especially with modern browsers restricting a script's access to anything local

Everything is Swiss cheese. Let's just go back to paper and pen and one time pads.

Cool bug. Bug bounty money is pathetic.

Really nice finding for such a young folk - really liked reading into it.Also what i love most about it is what an actually simple vuln it is.

Tho what i find mostly funny bout it is how many people are complaining about the 4k$.

I mean sure the potential "damage" could have been alot higher, tho at the same time there was no contract in place or , at least as far as i understood, a clear bug bounty targeted. This was a, even if well done, random checking of XHR/Requests to see if anything vulnerable can be found - searching for kinda file exposure / xss / RFI/LFI. So everything paid (and especially since this is a mintlify bug not an actual discord bug) is just a nice net gain.

Also ill just drop here : ask yourself, are you searching for such vulns just for money or to make the net a safer place for everyone. Sure getting some bucks for the work is nice, but i personally just hope stuff gets fixed on report.

16 year olds rule the world.