CVE-2025-11360

Analysis

The vulnerability exists in jakowenko double-take versions up to 1.13.1, specifically within the API component defined in api/src/app.js. The affected function app.use does not properly sanitize the X-Ingress-Path header value before injecting it into an inline ` tag in the served HTML page. This allows an attacker to inject arbitrary JavaScript code by providing a crafted X-Ingress-Path` header value [1][2].

Exploitation

The attack vector is remote and does not require authentication, making it accessible to any attacker who can send HTTP requests to the vulnerable endpoint. The vulnerability is triggered when the app.use handler reads the x-ingress-path header and directly interpolates it into a JavaScript template literal that sets the window.ingressUrl variable. An attacker can craft a header containing, for example, a closing script tag and malicious JavaScript code, which will then be executed in the context of the user's browser [2].

Impact

Successful exploitation leads to Cross-Site Scripting (XSS), enabling an attacker to execute arbitrary scripts in the victim's browser session. This could result in data theft, session hijacking, or further malicious actions such as redirecting the user to a phishing site. The CVSS v3 score of 4.3 indicates a moderate severity, considering the ease of remote exploitation and potential impact [1].

Mitigation

The issue is resolved in version 1.13.2. The commit e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50 introduces proper serialization of values using JSON.stringify() before inserting them into the script, effectively preventing XSS. Users should upgrade to version 1.13.2 or later to remediate this vulnerability [1][2].