CVE-2025-9095: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js

August 18, 2025 (updated August 19, 2025)

A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/ExpressGateway/express-gateway
github.com/advisories/GHSA-q4rg-7cjj-5r86
github.com/freshfish-hust/my-cves/issues/5
github.com/freshfish-hust/my-cves/issues/5
nvd.nist.gov/vuln/detail/CVE-2025-9095
vuldb.com/?ctiid.320417
vuldb.com/?id.320417
vuldb.com/?submit.627709

Code Behaviors & Features

Detect and mitigate CVE-2025-9095 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →