Cross-Site Scripting Vulnerability in Apache SkyWalking
CVE-2025-54057
What is CVE-2025-54057?
CVE-2025-54057 is a cross-site scripting (XSS) vulnerability identified in Apache SkyWalking, an open-source application performance monitoring tool used to observe and analyze cloud-native microservices. This vulnerability arises from the improper handling of script-related HTML tags, which can allow attackers to inject malicious scripts into web pages. Such an injection can manipulate client-side scripts, posing a significant threat to end-user data and the integrity of the monitoring data processed by organizations. If exploited, this flaw could undermine user interactions, lead to unauthorized data access, or enable further attacks within an organization’s environment, particularly in scenarios where vital application performance data is displayed to end users or administrators.
Potential impact of CVE-2025-54057
-
Data Theft: The vulnerability can allow attackers to execute scripts in the context of a user’s session, potentially leading to unauthorized access to sensitive user information stored in web applications or on the client-side. This may facilitate data exfiltration and further exploitation.
-
Session Hijacking: Exploiting this XSS vulnerability can allow attackers to take control of user sessions, enabling them to impersonate legitimate users. This can lead to unauthorized actions taken in the context of a user account, potentially compromising both user and system integrity.
-
Trust Exploitation: By leveraging this vulnerability, attackers can manipulate the trust users place in the Apache SkyWalking interface. Successful exploitation may result in users unknowingly executing malicious commands, leading to a crippled security posture for an organization and possible downstream attacks.
Affected Version(s)
Apache SkyWalking 0 <= 10.2.0
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved