CVE-2025-11360 is a cross-site scripting vulnerability identified in the jakowenko double-take product, specifically affecting versions 1.13.0 and 1.13.1. The vulnerability arises from improper sanitization of the X-Ingress-Path HTTP header within the API component's app.use function located in api/src/app.js. This flaw allows an attacker to craft a malicious X-Ingress-Path header that injects executable script code into the web application's response. Since the attack vector is remote and does not require authentication, any user accessing the vulnerable application with a manipulated header could execute arbitrary JavaScript in their browser context. The vulnerability impacts the confidentiality and integrity of user sessions by enabling theft of cookies, session tokens, or performing actions on behalf of the user. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of exploitation (no privileges or authentication needed) but requiring user interaction to trigger the payload. The vulnerability is resolved by upgrading to version 1.13.2, which includes a patch identified by commit e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50. No public exploits have been reported yet, but the presence of this vulnerability in an API component suggests potential for targeted phishing or social engineering attacks leveraging the XSS flaw.

For European organizations, the primary impact of CVE-2025-11360 lies in the potential compromise of user data and session integrity through client-side script injection. This could lead to theft of sensitive information, unauthorized actions performed in the context of authenticated users, and reputational damage if exploited. Organizations relying on jakowenko double-take for API services or web applications may face increased risk of targeted attacks, especially if their user base includes high-value or sensitive profiles. The vulnerability could be leveraged in spear-phishing campaigns or combined with other attack vectors to escalate privileges or move laterally within networks. Given the medium severity and the requirement for user interaction, the risk is moderate but non-negligible, particularly for sectors with stringent data protection requirements such as finance, healthcare, and government. Failure to patch could also result in non-compliance with GDPR mandates on data security and breach prevention.

The definitive mitigation is to upgrade jakowenko double-take to version 1.13.2 or later, which contains the official patch addressing the XSS vulnerability. Organizations should audit their deployments to identify any instances running affected versions 1.13.0 or 1.13.1 and prioritize patching. Additionally, implementing strict input validation and sanitization on HTTP headers, especially X-Ingress-Path, can reduce risk. Web application firewalls (WAFs) should be configured to detect and block suspicious header manipulations. Security teams should also educate users about the risks of interacting with untrusted links or content that could trigger XSS attacks. Monitoring logs for anomalous header values and unusual user activity can help detect exploitation attempts. Finally, adopting Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution contexts.