CVE-2025-61190 identifies a reflected Cross-Site Scripting (XSS) vulnerability in DSpace JSPUI version 6.5, a popular open-source digital repository platform used primarily by academic, research, and cultural institutions worldwide. The vulnerability exists within the search/discover filtering functionality, specifically due to improper sanitization of user-supplied input passed via the filter_type_1 parameter. Reflected XSS occurs when malicious input is immediately returned in the server's response without adequate encoding or validation, enabling attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to a range of attacks including session hijacking, cookie theft, defacement, or redirection to malicious sites. Although no public exploits have been reported yet, the vulnerability's presence in a widely deployed platform increases the risk of targeted attacks, especially against institutions managing sensitive or proprietary digital content. The lack of a CVSS score indicates that the vulnerability is newly disclosed and pending further assessment. The absence of authentication requirements and the ease of triggering the reflected XSS via crafted URLs or form inputs make this vulnerability particularly exploitable. The vulnerability underscores the importance of robust input validation and output encoding in web applications, especially those handling user-generated or dynamic content. DSpace administrators should prioritize patching or applying mitigations once available to prevent exploitation.

The potential impact of CVE-2025-61190 is significant for organizations using DSpace JSPUI 6.5, especially academic, research, and cultural institutions that rely on the platform to manage and disseminate digital content. Successful exploitation of this reflected XSS vulnerability could allow attackers to execute arbitrary scripts in users' browsers, leading to session hijacking, theft of authentication tokens, unauthorized actions on behalf of users, and exposure of sensitive information. This can undermine user trust, compromise user accounts, and potentially lead to further network intrusion if attackers leverage stolen credentials. Additionally, attackers could use the vulnerability to deliver malware or conduct phishing attacks by redirecting users to malicious sites. While the vulnerability does not directly compromise server integrity or availability, the confidentiality and integrity of user sessions and data are at risk. The widespread use of DSpace in multiple countries and sectors increases the attack surface, making this a concern for organizations worldwide. The absence of known exploits currently limits immediate risk, but the vulnerability's nature and ease of exploitation warrant prompt attention to prevent future attacks.

To mitigate CVE-2025-61190, organizations should implement the following specific measures: 1) Apply input validation on the filter_type_1 parameter to strictly allow only expected values or sanitize inputs to remove or encode potentially malicious characters. 2) Implement proper output encoding (e.g., HTML entity encoding) when reflecting user input in the web interface to prevent script execution. 3) Deploy a Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code, reducing the impact of any injected scripts. 4) Monitor web server logs for suspicious requests targeting the filter_type_1 parameter to detect potential exploitation attempts. 5) Educate users and administrators about the risks of XSS and encourage cautious handling of URLs and inputs. 6) Stay updated with DSpace security advisories and apply patches or updates as soon as they become available. 7) Consider using web application firewalls (WAFs) with rules designed to detect and block reflected XSS attacks targeting known vulnerable parameters. These targeted actions go beyond generic advice and address the specific vector and context of this vulnerability.