Cross Site Scripting Vulnerability in ExpressGateway by FreshFish
CVE-2025-9095

3.5LOW

Key Information:

Vendor: FreshFish
Status: ExpressGateway
Vendor: CVE Published:; 17 August 2025

What is CVE-2025-9095?

A security flaw has been identified in ExpressGateway, impacting versions up to 1.16.10. The vulnerability resides in the library handling REST Endpoint processing, specifically in 'lib/rest/routes/users.js'. This flaw can lead to Cross Site Scripting (XSS) attacks, which might be executed remotely by an attacker. Although the vendor was made aware of this issue prior to public disclosure, there has been no communication or response. Users are advised to take precautions and monitor for any potential exploit attempts.

References

https://github.com/freshfish-hust/my-cves/issues/5

https://github.com/freshfish-hust/my-cves/issues/5#issue-...

https://vuldb.com/?ctiid.320417

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 17, 2025