CVE-2025-2123: GeSHi XSS possible in the get_var function of /contrib/cssgen.php

March 9, 2025 (updated June 23, 2025)

A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the file /contrib/cssgen.php of the component CSS Handler. The manipulation of the argument default-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

References

github.com/GeSHi/geshi-1.0
github.com/GeSHi/geshi-1.0/issues/159
github.com/advisories/GHSA-pr6q-g5gv-qgr7
nvd.nist.gov/vuln/detail/CVE-2025-2123
vuldb.com/?ctiid.299036
vuldb.com/?id.299036
vuldb.com/?submit.507418

Code Behaviors & Features

Detect and mitigate CVE-2025-2123 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →