CVE-2025-42901

Vulnerability

Overview CVE-2025-42901 is a stored cross-site scripting (XSS) vulnerability in SAP Application Server for ABAP. The affected component is the BAPI explorer functionality, which handles Business Application Programming Interface (BAPI) metadata. The root cause is insufficient input sanitization when processing data that later gets displayed to other users, allowing an authenticated attacker to inject malicious JavaScript payloads that are persistently stored on the server.

Attack

Vector An attacker must first obtain valid authentication credentials to the SAP ABAP system. Once authenticated, the attacker can craft a request to store arbitrary JavaScript code within the BAPI explorer's data fields. When an administrator or other victim accesses the same BAPI explorer function, the stored payload executes within their browser context. This attack does not require any special network position except being able to send HTTP requests to the affected endpoint [1].

Impact

Successful exploitation leads to partial compromise of confidentiality and integrity for the victim's session. The attacker can perform actions such as stealing session tokens, manipulating displayed data, or performing administrative actions through the victim's authenticated context. The CVSS v3 base score is 5.4 (Medium), with the official description noting low impact on confidentiality and integrity and no impact on availability.

Remediation

SAP has addressed this issue in its monthly Security Patch Day cycle. Organizations should apply the relevant SAP Security Note for CVE-2025-42901 in the October 2025 patch batch. SAP recommends implementing corrections at priority and provides tools in SAP for Me to identify and select the appropriate fixes [1]. No workarounds are documented; patching is the recommended remediation.