CVE-2025-9095

Summary

A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
ExpressGatewayexpress-gateway1.16.0affected
ExpressGatewayexpress-gateway1.16.1affected
ExpressGatewayexpress-gateway1.16.2affected
ExpressGatewayexpress-gateway1.16.3affected
ExpressGatewayexpress-gateway1.16.4affected
ExpressGatewayexpress-gateway1.16.5affected
ExpressGatewayexpress-gateway1.16.6affected
ExpressGatewayexpress-gateway1.16.7affected
ExpressGatewayexpress-gateway1.16.8affected
ExpressGatewayexpress-gateway1.16.9affected
ExpressGatewayexpress-gateway1.16.10affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References