CVE-2025-9096
Description
A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Express Gateway ≤1.16.10 has a reflected XSS vulnerability in its REST API via unsanitized user input in error responses.
Vulnerability
Analysis
A reflected cross-site scripting (XSS) vulnerability has been identified in Express Gateway REST API endpoints, specifically within the lib/rest/routes/apps.js file. The root cause is that user-controlled input from req.params.id is directly concatenated into error messages without proper HTML escaping or output encoding. When a resource is not found, the server sends a response like Application not found: <user_input> using res.send(), which sets the Content-Type to text/html and allows the browser to execute any embedded script tags [2][3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the :id parameter of the /apps/:id endpoint (and likely the /users/:id endpoint as well). No authentication is required if the administrative APIs are exposed. The attack is performed remotely via a specially crafted HTTP request; when a victim, such as an administrator, visits the URL, the injected script is reflected in the server's response and executed in the victim's browser [2][3]. A proof-of-concept curl command demonstrates the issue by sending a payload that triggers an alert on the victim's browser [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, defacement, or theft of sensitive information (e.g., API keys, credentials) if the victim is an authenticated administrator with access to the Express Gateway management interface [2][3]. The vulnerability is rated as low severity (CVSS v3 base score 3.5) due to the requirement for user interaction and the context-dependent impact [1].
Mitigation
The Express Gateway project has been officially deprecated and is no longer maintained, as noted in the official GitHub repository [4]. The vendor was contacted early about this disclosure but did not respond, and no patch has been released [1]. Users are advised to restrict access to the administrative REST API endpoints (e.g., through network segmentation, firewalls, or reverse proxy authentication) or migrate to an actively maintained API gateway solution [2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
express-gatewaynpm | <= 1.16.10 | — |
Affected products
2<= 1.16.10+ 1 more
- (no CPE)range: <= 1.16.10
- (no CPE)range: <=1.16.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-xfp8-x3j6-h67vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9096ghsaADVISORY
- github.com/freshfish-hust/my-cves/issues/6nvdWEB
- github.com/freshfish-hust/my-cves/issues/6nvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
News mentions
0No linked articles in our index yet.