VYPR
← All advisories
Low severity3.5NVD Advisory· Published Jun 23, 2025· Updated Apr 29, 2026

CVE-2025-6509

CVE-2025-6509

Description

A vulnerability was found in seaswalker spring-analysis up to 4379cce848af96997a9d7ef91d594aa129be8d71. It has been declared as problematic. Affected by this vulnerability is the function echo of the file /src/main/java/controller/SimpleController.java. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in seaswalker spring-analysis allows arbitrary JavaScript execution via the /echo endpoint due to insufficient input sanitization.

Vulnerability

Analysis

The vulnerability resides in the echo function of /src/main/java/controller/SimpleController.java within the seaswalker spring-analysis repository (up to commit 4379cce). The application takes user-supplied input via the name parameter and directly embeds it into the HTML output without proper sanitization or escaping, leading to a reflected Cross-Site Scripting (XSS) flaw [1].

Exploitation

Mechanism

An attacker can exploit this issue by crafting a GET request to /echo?name= and convincing a victim to open the link. The malicious script is reflected in the response and executed by the victim's browser, as the JSP template directly outputs the model attribute ${echo} without encoding [2]. No authentication is required, and the attack can be performed remotely.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript into the web page, potentially leading to session hijacking, defacement, or redirection to malicious sites. However, the attack requires user interaction (clicking a crafted link) and is limited to the context of the victim's browser session.

Mitigation

The project uses rolling releases, so no specific patched version is available. The recommended remediation is to properly encode user-controlled data before rendering it in HTML, for example by using Spring's htmlEscape or a template engine that automatically escapes output.

References
  1. cve-proofs/POC-20250609-01/report.md at main · ShenxiuSec/cve-proofs
  2. cve-proofs/POC-20250609-01/report.md at main · ShenxiuSec/cve-proofs

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Seaswalker/Spring Analysisinferred2 versions
    <=4379cce848af96997a9d7ef91d594aa129be8d71+ 1 more
    • (no CPE)range: <=4379cce848af96997a9d7ef91d594aa129be8d71
    • (no CPE)range: <= 4379cce848af96997a9d7ef91d594aa129be8d71

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.