CVE-2025-9095: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js

August 18, 2025 (updated September 23, 2025)

A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-controlled input is reflected into the HTTP response without proper sanitization, allowing arbitrary JavaScript execution in the browser of a logged-in user who views the affected page/route. The attack can be triggered over the network with low complexity and requires a low-privileged authenticated context and user interaction (viewing the page). Impact is limited to confidentiality and integrity of the session in the affected UI.

References

github.com/ExpressGateway/express-gateway
github.com/advisories/GHSA-q4rg-7cjj-5r86
github.com/freshfish-hust/my-cves/issues/5
github.com/freshfish-hust/my-cves/issues/5
nvd.nist.gov/vuln/detail/CVE-2025-9095
vuldb.com/?ctiid.320417
vuldb.com/?id.320417
vuldb.com/?submit.627709

Code Behaviors & Features

Detect and mitigate CVE-2025-9095 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →