CVE-2025-41357
Received Received - Intake
Reflected XSS in Anon Proxy Server /diagdns.php Host Parameter

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagdns.php' endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41357
EUVD
EUVD-2025-209141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anonproxyserver anon_proxy_server 0.104
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue found in Anon Proxy Server version 0.104. It occurs in the 'host' parameter of the '/diagdns.php' endpoint. An attacker can exploit this by sending a malicious URL to a victim, causing the victim's browser to execute attacker-controlled JavaScript code.

This execution of malicious code can lead to unauthorized actions such as stealing sensitive user data like session cookies or performing actions on behalf of the user without their consent.

Impact Analysis

The impact of this vulnerability includes the potential theft of sensitive user information, such as session cookies, which can be used to hijack user sessions.

Additionally, attackers can perform unauthorized actions on behalf of the user, potentially leading to further compromise of user accounts or data.

Compliance Impact

The Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104 allows attackers to execute malicious JavaScript in a victim's browser, potentially stealing sensitive user data such as session cookies or performing unauthorized actions on behalf of the user.

Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information from unauthorized access and breaches.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing user data to attackers.

Detection Guidance

This vulnerability can be detected by testing the 'host' parameter in the '/diagdns.php' endpoint for reflected Cross-Site Scripting (XSS) issues. One common method is to send a crafted URL containing JavaScript payloads in the 'host' parameter and observe if the payload is executed or reflected in the response.

  • Use curl or similar tools to send requests with XSS payloads, for example: curl -v "http://target/diagdns.php?host=<script>alert(1)</script>"
  • Monitor HTTP responses for reflected script tags or suspicious JavaScript code in the response body.
  • Use web vulnerability scanners that support detection of reflected XSS vulnerabilities targeting specific parameters and endpoints.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Anon Proxy Server to the latest version where this reflected XSS vulnerability has been fixed.

Additionally, applying input validation and output encoding on the 'host' parameter in the '/diagdns.php' endpoint can help prevent exploitation.

As a temporary measure, consider implementing web application firewall (WAF) rules to block malicious payloads targeting this parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart