CVE-2025-25247: Apache Felix Webconsole: XSS in services console

February 10, 2025

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Felix Webconsole.

This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.

Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.

References

github.com/advisories/GHSA-4c37-7m5h-c8m9
github.com/apache/felix-dev
github.com/apache/felix-dev/commit/87513ea3533fdb79d9e2b251410bf2bfbd63941e
lists.apache.org/thread/z47jbf0rbylzd0ktfzdw9c8b5fpyl24m
nvd.nist.gov/vuln/detail/CVE-2025-25247

Detect and mitigate CVE-2025-25247 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →