CVE-2025-9095

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in ExpressGateway's REST API endpoints for user and application management (lib/rest/routes/users.js and lib/rest/routes/apps.js) up to version 1.16.10 [1]. The root cause is the lack of input validation and output sanitization: user-controlled fields such as firstname and name are directly passed to service layer functions (e.g., usersSrv.insert()) without any filtering, allowing attackers to inject arbitrary HTML and JavaScript [1].

Exploitation

An attacker can remotely exploit this flaw by sending specially crafted POST or PUT requests to the /users or /apps endpoints with malicious payloads in controllable fields [1]. The injected script is stored in the backend and executed when an administrator or other user views the affected data in their browser. No authentication is required to perform the attack if the endpoints are exposed, as the default configuration may allow unauthenticated access [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking, theft of sensitive information (e.g., API keys, credentials), and unauthorized actions on behalf of the victim. If a privileged user such as an administrator is targeted, the attacker could potentially elevate access, manipulate application data, or compromise the entire gateway [1].

Mitigation

The vendor was contacted but did not respond, and the project is now deprecated with no official fix available [4]. Users should consider disabling or restricting access to the vulnerable REST API endpoints, implementing strong input validation and output encoding at a reverse proxy or web application firewall (WAF), or migrating to an actively maintained alternative.