Medium severity4.3NVD Advisory· Published Mar 17, 2025· Updated Apr 15, 2026

CVE-2025-2361

Description

A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mercurial hgweb is vulnerable to reflected XSS via the 'cmd' argument, allowing remote attackers to inject JavaScript.

Vulnerability

Overview

CVE-2025-2361 is a reflected cross-site scripting (XSS) vulnerability in the web interface (hgweb) of Mercurial SCM. The vulnerability exists in unknown code related to the handling of the cmd argument. By crafting a malicious link containing JavaScript in the cmd parameter, an attacker can cause arbitrary script execution in the victim's browser when the link is visited [1]. The flaw affects versions including 4.5.3 and 71.19.145.211, but the insecure pattern may exist in other versions.

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack vector is a crafted URL that, when opened by a user with access to the hgweb interface, reflects the malicious input back in the page. In production setups using mod_wsgi, such injection attempts may be blocked and result in a 500 error instead of executing the script, but this is not a guaranteed mitigation [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session within the hgweb application. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page.

Mitigation

The vulnerability was addressed in Mercurial 6.9.4, which was released as an out-of-schedule security update [1]. Users are strongly advised to upgrade to this version or later. No response was received from the vendor when initially contacted about the flaw.

References

security - Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mercurial/Mercurialllm-fuzzy
Range: = 4.5.3/71.19.145.211

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000