WatchTowr Discloses Memory Leak and Reflected XSS in Citrix NetScaler, Raises Concerns Over Design Patterns
WatchTowr Labs has disclosed two vulnerabilities in Citrix NetScaler appliances, including a reflected XSS (CVE-2025-12101) and a memory leak triggered by misconfiguration, highlighting ongoing fragility in memory management.
WatchTowr Labs has disclosed two vulnerabilities in Citrix NetScaler appliances discovered while analyzing the CitrixBleed2 (CVE-2025-5777) vulnerability. The findings include a memory leak condition (WT-2025-0089) and a reflected cross-site scripting (XSS) vulnerability assigned CVE-2025-12101 (WT-2025-0090). While the memory leak is considered unlikely to occur in real-world deployments, the researchers warn that the pattern of memory disclosure vulnerabilities in these critical security appliances is concerning.
The memory leak vulnerability, WT-2025-0089, arises when an administrator creates a new AAA (Authentication, Authorization, and Auditing) virtual server via the web interface without first enabling the AAA feature through the command-line interface (CLI). In this misconfigured state, browsing to the root page of the affected device causes it to leak memory contents. WatchTowr researchers discovered the issue while configuring a NetScaler appliance to reproduce CitrixBleed2, describing the configuration process as frustrating enough to make one "dream of a career in goat farming."
Citrix confirmed to WatchTowr that the memory leak stems from an unsupported configuration and that the feature will not function without being properly enabled via CLI. The company has since made code changes to prevent this misconfiguration in future releases. Citrix did not assign a CVE to this issue, and WatchTowr agrees that the real-world risk is minimal, noting they found no instances of this configuration on internet-exposed systems. However, the researchers emphasize that the broader trend of memory management fragility in NetScaler appliances is troubling, especially given the device's role as a security control.
The second vulnerability, CVE-2025-12101, is a reflected XSS flaw found in the SAML RelayState parameter used in NetScaler's single sign-on (SSO) flows. An attacker can craft a malicious HTTP POST request containing a specially crafted RelayState value that, when processed by the appliance, executes arbitrary JavaScript in the context of the victim's browser session. This could allow an attacker to steal session cookies, perform actions on behalf of an authenticated user, or deliver further payloads.
WatchTowr's disclosure comes amid a series of memory leak vulnerabilities in Citrix NetScaler, including the original CitrixBleed (CVE-2023-4966) and CitrixBleed2 (CVE-2025-5777), both of which were exploited in the wild to leak session tokens and facilitate ransomware attacks. The researchers note that the ease with which memory can be disclosed—even through accidental misconfiguration—raises questions about Citrix's design and architecture choices. "It feels like we are playing catch with a highly-sensitive gun that continues to harm innocent bystanders," they wrote.
Citrix has not yet released a security advisory for CVE-2025-12101, but WatchTowr's findings have been shared with the vendor. The reflected XSS vulnerability is considered more immediately exploitable than the memory leak, though it requires user interaction (e.g., clicking a crafted link). Organizations running Citrix NetScaler appliances are advised to review their AAA configuration and apply any forthcoming patches from Citrix. The broader lesson, according to WatchTowr, is that memory management in these appliances remains fragile, and the industry should expect further discoveries in this area.