CVE-2025-9096 – express-gateway

Package

Manager: npm
Name: express-gateway
Vulnerable Version: >=0 <=1.16.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00031 pctl0.07373

Details

ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

Created: 2025-08-18T00:30:30Z
Modified: 2025-08-19T16:10:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xfp8-x3j6-h67v/GHSA-xfp8-x3j6-h67v.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xfp8-x3j6-h67v
Finding: F425
Auto approve: 1