CVE-2025-9096
BaseFortify
Publication date: 2025-08-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| expressgateway | express-gateway | * |
| expressgateway | express-gateway | 1.16.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9096 is a reflected cross-site scripting (XSS) vulnerability in Express Gateway versions up to 1.16.10. It occurs because the application fails to properly sanitize user input in the REST API endpoints /apps/:id and /users/:id. Specifically, unsanitized input from the URL path parameter is directly included in HTML error responses, allowing an attacker to craft malicious URLs containing JavaScript code. When a victim, such as an administrator, accesses such a URL, the injected script executes in their browser, potentially leading to session hijacking, unauthorized actions, or data theft. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute arbitrary JavaScript in the context of your users' browsers, especially administrators or privileged users. This can lead to session hijacking, privilege escalation, unauthorized actions, data exfiltration, and phishing or UI redress attacks. Since the exploit is easy to perform and publicly available, attackers can remotely target your system without needing special privileges, potentially compromising the integrity of your application and user data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected REST endpoints (/apps/:id and /users/:id) for reflected cross-site scripting (XSS). You can craft URLs with malicious payloads in the :id parameter and observe if the server reflects the input unsanitized in the response. For example, use curl or a browser to send requests like: curl -i "http://<target-host>/apps/%3Cscript%3Ealert('XSS')%3C/script%3E" and check if the response contains the injected script. Additionally, monitoring HTTP responses for reflected input in error messages can help detect the vulnerability. Since the vulnerability is in the REST endpoint and involves reflected input in error responses, manual or automated scanning tools that test for reflected XSS on these endpoints can be used. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid exposing the vulnerable endpoints (/apps/:id and /users/:id) to untrusted users or the public network. 2) Implement output encoding by properly HTML-encoding all user-supplied input before including it in responses to prevent script execution. 3) Change error responses to use safer content types such as text/plain or JSON instead of text/html to prevent browsers from executing injected scripts. 4) If possible, replace or upgrade the affected Express Gateway version, although no vendor patch is currently available. 5) Consider disabling or restricting administrative API access until a fix or workaround is applied. These steps reduce the risk of exploitation until a proper patch or update is released. [3, 2]