CVE-2025-9096: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js

August 18, 2025 (updated August 19, 2025)

A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/ExpressGateway/express-gateway
github.com/advisories/GHSA-xfp8-x3j6-h67v
github.com/freshfish-hust/my-cves/issues/6
github.com/freshfish-hust/my-cves/issues/6
nvd.nist.gov/vuln/detail/CVE-2025-9096
vuldb.com/?ctiid.320418
vuldb.com/?id.320418
vuldb.com/?submit.627833

Code Behaviors & Features

Detect and mitigate CVE-2025-9096 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →