CVE-2025-60249 is a medium-severity cross-site scripting (XSS) vulnerability affecting version 2.16.0 of the CIRCL vulnerability-lookup application. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically in the Bundles, Comments, and Sightings components of the application. Users with privileges to add bundles, comments, or sightings can inject arbitrary JavaScript code due to unsafe use of innerHTML assignments and insufficient validation of dynamic URLs and model fields. This improper handling allows malicious scripts to be executed in the context of other users' browsers when viewing affected pages, potentially leading to session hijacking, unauthorized actions, or data theft. The root cause is the failure to sanitize untrusted input before rendering it in templates and tables. The vulnerability has been addressed by escaping untrusted data, replacing innerHTML with safer DOM manipulation methods, encoding URLs using encodeURIComponent, and enhancing input validation in the affected models. The CVSS v3.1 base score is 6.4, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change.

For European organizations using CIRCL vulnerability-lookup 2.16.0, this vulnerability poses a risk of client-side code injection that could compromise the confidentiality and integrity of sensitive vulnerability data. Since the application is designed for managing and sharing vulnerability information, exploitation could allow attackers to manipulate displayed data, steal session tokens, or perform actions on behalf of legitimate users. This could undermine trust in vulnerability management processes and lead to further exploitation if attackers gain access to sensitive security information. The medium severity indicates a moderate risk; however, the requirement for a user with privileges to add content limits the attack surface to insiders or compromised accounts. European organizations involved in cybersecurity research, vulnerability coordination, or incident response that rely on this tool are particularly at risk. Additionally, the scope change in the CVSS vector suggests that exploitation can affect components beyond the initially vulnerable ones, potentially impacting multiple users and systems within an organization.

European organizations should immediately upgrade CIRCL vulnerability-lookup instances to a patched version that addresses CVE-2025-60249. If an official patch is not yet available, temporary mitigations include restricting the ability to add bundles, comments, or sightings to highly trusted users only, implementing strict input validation and sanitization at the application or web server level, and employing Content Security Policy (CSP) headers to limit the execution of injected scripts. Regularly audit user privileges and monitor logs for suspicious activities related to content additions. Additionally, review and harden web application firewall (WAF) rules to detect and block XSS payloads targeting the affected components. Educate users about the risks of XSS and encourage the use of multi-factor authentication to reduce the risk of account compromise. Finally, conduct thorough testing of the application post-upgrade to ensure that the vulnerability is fully remediated and no residual unsafe code remains.