CVE-2025-9095 – express-gateway

Package

Manager: npm
Name: express-gateway
Vulnerable Version: >=0 <=1.16.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00031 pctl0.07373

Details

ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

Created: 2025-08-18T00:30:30Z
Modified: 2025-08-19T16:10:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-q4rg-7cjj-5r86/GHSA-q4rg-7cjj-5r86.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-q4rg-7cjj-5r86
Finding: F425
Auto approve: 1