CVE-2025-9096: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js

August 18, 2025 (updated September 23, 2025)

A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoint is not sanitized before being rendered by the admin/UI layer, allowing an authenticated, low-privileged actor to store or reflect a payload that executes in a maintainer’s browser when the resource is viewed. The issue can be triggered remotely over the network and does not impact availability. No vendor fix is available at this time.

References

github.com/ExpressGateway/express-gateway
github.com/advisories/GHSA-xfp8-x3j6-h67v
github.com/freshfish-hust/my-cves/issues/6
github.com/freshfish-hust/my-cves/issues/6
nvd.nist.gov/vuln/detail/CVE-2025-9096
vuldb.com/?ctiid.320418
vuldb.com/?id.320418
vuldb.com/?submit.627833

Code Behaviors & Features

Detect and mitigate CVE-2025-9096 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →